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Removing  gotos  from  computer  languages  resulted  in  more  understandable,  main- 
tainable and  verifiable  code.  Restricting  recursion  to  primitive  recursion  in  computer 
languages  such  as  PASCAL  has  similar  results.  This  dissertation  developes  a  highly 
structured  programming  language  where  recursion  is  limited  to  primitive  recursion. 
Programs  in  the  language  compute  exactly  the  class  of  primitive  recursive  functions. 
A  Hoare  verification  system  is  developed  for  this  language.  It  is  proved  that  this 
system  is  sound  and  complete. 


CHAPTER  1 
INTRODUCTION 


The  term  structured  programming  emerged  in  the  seventies.  It  became  neces- 
sary for  the  advertisement  of  every  software  product  to  sport  the  word  structured 
several  times,  preferrably  in  the  product's  title.  This  was  not  due  simply  to  the 
faddishness  of  a  quickly  growing  field.  Structured  programming  works.  While  at 
first  gotoless  programming  appeared  to  be  taking  a  tool  away  from  the  developer,  in 
fact  it  provided  a  framework  in  which  to  reason  clearly.  Structured  programming  en- 
hances programmability  by  organizing  the  programmer's  thoughts.  It  also  enhances 
the  verifiability  and  maintainability  of  software. 

To  be  structured  has  been  defined  as  the  ability  to  understand  the  meaning  of 
the  whole  from  the  meaning  of  the  parts  and  a  few  combining  rules.  This  goes  hand 
in  hand  with  modularity.  Each  module  is  a  portion  of  the  program.  The  meaning  of 
the  whole  comes  from  the  meaning  of  each  of  the  modules  and  the  knowledge  of  how 
to  put  these  modules  together. 

Computer  languages  have  become  increasingly  structured.  For  example  object 
oriented  programming  modularizes  both  the  code  and  data.  Looking  at  the  con- 
trol structures  of  sequential  programming  languages  such  as  PASCAL,  the  author 
will  continue  this  trend  towards  more  structured  programming  languages.  Edmund 
Clarke  reported  surprising  results  that  suggest  that  PASCAL-like  languages  are  too 
flexible  [7,  8].  He  proved  that  there  is  no  Hoare  verification  system  for  these  languages. 
A  central  feature  of  PASCAL  is  recursion.  The  author  sees  a  similarity  between  gotos 
and  the  unrestricted  use  of  recursion.    In  this  dissertation  a  powerful  programming 
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language  is  developed  which  is  more  structured  than  PASCAL.  Specifically,  recursion 
in  this  language  is  limited  to  primitive  recursion. 

Primitive  recursion  is  powerful  yet  easy  to  understand.  In  essense  primitive  re- 
cursion is  iterating  on  a  single  variable.  A  function  defined  by  primitive  recursion  is 
defined  directly  at  n  equal  to  zero.  For  n  greater  than  zero  the  function  is  defined 
using  the  result  of  applying  the  function  at  values  less  than  n.  The  programs  of  a 
structured  computer  language  where  recursion  is  restricted  to  primitive  recursion  are 
easier  to  understand,  maintain  and  verify  than  programs  of  a  structured  language 
which  allows  the  unrestricted  use  of  recursion. 

The  terms  operational  and  denotational  are  used  to  contrast  two  methods  of 
specifying  the  meaning  of  programs  [34].  Originally  program  semantics  were  said  to 
be  operational  if  they  were  given  in  terms  of  operations  on  an  abstract  machine.  The 
idea  was  that,  although  the  abstract  machine  was  unrealistic  from  a  practical  point 
of  view,  it  was  so  simple  that  no  misunderstanding  could  occur  as  to  the  meaning 
of  the  program.  Denotational  semantics,  sometimes  referred  to  as  mathematical 
or  functional  semantics,  describes  the  meaning  of  programs  directly.  Some  type  of 
semantic  valuation  function  is  used  which  maps  syntactic  constructs  in  the  program 
to  the  abstract  values  which  they  denote. 

The  term  operational  is  used  more  broadly  today.  Semantics  are  said  to  be  defined 
operationally  if  they  involve  describing  computational  sequences.  A  problem  is  that 
operational  semantics  tend  to  give  results  of  specific  computations.  Starting  with 
a  particular  program,  and  an  input  vector,  the  semantics  tell  us  how  to  crank  the 
handle  to  obtain  the  result.  Such  descriptions  may  allow  hidden  ambiguities.  For 
some  programs  it  may  be  obvious  that  the  operational  semantics  are  well  defined. 
However,  when  giving  the  semantics  of  a  language,  all  programs  that  could  possibly 
be  written  in  the  language  should  be  considered. 


An  operational  definition  can  be  made  mathematically  rigorous.   However,  there 

is  still  another  difference  between  operational  and  denotational  semantics.    In  1977 

Joseph  Stoy  described  a  difference  which  still  exists  today. 

The  former  defines  the  value  of  a  program  in  terms  of  what  an  ab- 
stract machine  does  with  the  complete  program.  Its  structure,  therefore, 
need  not  correlate  with  the  way  the  programmer  thinks  about  his  pro- 
gram when  he  selects  particular  syntactic  components  and  combines  them 
together  in  particular  ways.  In  the  denotational  definition,  on  the  other 
hand,  the  value  of  a  program  is  defined  in  terms  of  the  values  of  its  sub- 
components; it  is  more  easily  possible  for  us  to  confine  our  treatment  to 
any  particular  part  of  the  program  we  wish  to  examine.  This  may  make 
it  a  more  satisfactory  tool  for  the  language  designer  and  also  for  those 
concerned  with  validating  various  techniques  for  proving  the  correctness 
of  particular  programs.  [34.  page  20] 

For  many  programming  languages  the  operational  semantics  are  defined  easily 
while  the  denotational  semantics  are  not.    In  general,  denotational  semantics  have. 
not  been  defined  for  programming  languages  including  recursion.  The  author  suggests 
that  this  is  a  result  of  current  programming  languages  being  too  flexible. 

Denotational  semantics  exist  for  the  programming  language  presented  here.  Every 
program  can  be  translated  into  a  primitive  recursive  function.  Furthermore,  since 
there  is  a  term  in  Primitive  Recursive  Arithmetic,  PRA.  for  every  primitive  recursive 
function,  there  is  a  PRA  term  which  describes  each  program  in  this  programming 
language.  There  is  also  a  PR.'^  axiom  which  shows  how  that  term  was  built.  The 
class  of  primitive  recursive  functions  is  defined  in  Appendix  A.  The  theory  of  PRA 
is  presented  in  Appendix  B. 

This  research  is  motivated  by  theoretical  issues  as  well.  In  his  seminal  paper 
"An  axiomatic  approach  to  computer  programming"  C.A.R.  Hoare  [20]  introduced  a 
method  of  capturing  the  meaning  of  program  constructs.  This  method  may  be  used 
to  define  a  programming  language  or  to  verify  programs  relative  to  given  pre  and 
postconditions.    Hoare  statements  are  triples  of  the  form  {P}S{Q}  where  P  and  Q 


are  formulas  in  a  first  order  assertion  language  and  5"  is  a  program  segment.  The 
statement  {P}S{Q}  is  true,  if  whenever  P  holds  for  the  initial  values  of  S  and  S  is 
executed,  either  S  diverges  or  Q  holds  for  the  final  values  of  S. 

Verification  systems  should  be  sound  and  complete.  A  system  is  sound  if  all 
statements  which  are  provable  in  the  system  are  true.  Completeness  implies  that 
all  true  statements  are  provable.  When  a  verification  system  is  sound  and  complete 
the  notions  of  provability  and  truth  are  equivalent.  This  allows  investigators  to 
manipulate  syntactic  proofs  knowing  that  the  results  will  be  true,  and  conversely,  to 
reason  semantically  knowing  that  a  syntactic  proof  can  be  found. 

A  Hoare  verification  system  consists  of  a  set  of  axioms  and  rules,  augmented 
by  a  theory.  Hoare  verification  systems  have  been  proposed  for  many  programming 
languages.  Apt  [2]  gives  an  excellent  overview  of  these  systems.  These  systems 
have  axioms  and  rules  which  capture  the  meaning  of  each  construct  in  the  language; 
however,  they  are  not  sound  and  complete  in  the  usual  sense.  Related  to  this  is  the 
possibility  that  the  assertion  language  is  not  able  to  express  all  necessary  pre-  and 
postconditions.  These  problems  will  be  discussed  separately. 

Current  programming  languages  are  universal  in  that  they  are  capable  of  com- 
puting the  full  class  of  partial  recursive  functions.  Hoare  verification  systems  for 
these  languages  typically  use  the  full  theory  of  the  model  to  augment  their  Hoare 
axioms  and  rules.  This  full  theory  is  not  even  a  recursively  axiomatizable  theory.  In 
addition  this  usage  obliterates  the  distinction  between  provability  and  truth.  One 
can  no  longer  talk  about  soundness  and  completeness  in  the  usual  sense  because  syn- 
tactic proofs  depend  on  a  particular  model.  Given  a  theory  T,  write  \=j^  {P}S{Q} 
if  for  any  model  M.  o{  T,  M  \=  {P}S{Q}.  A  Hoare  verification  system,  with  a  set 
H  of  axioms  and  rules,  should  have  a  first  order  theory  T  to  augment  H  so  that  a 


soundness  and  completeness  theorem  would  read 

^E.T{P]S{Q}^^T{nS{Q]. 

Instead  the  soundness  and  completeness  theorems  for  universal  programming  lan- 
guages read 
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R.TbeoryiM)  {nS{Q}  ^M^  {P}S{Q}. 


Completeness  in  this  sense  is  referred  to  as  relative  completeness  since  the  theory  is 
chosen  relative  to  a  particular  model. 

The  assertion  theory  may  not  be  strong  enough  to  express  all  necessary  assertions. 
This  gives  rise  to  the  second  problem.  Even  the  relative  soundness  and  completeness 
theorem  cannot  be  proven  for  these  systems.  There  are  models  for  which  {P}S{Q] 
is  true  but  not  provable  with  any  set  of  Hoare  axioms  and  rules  augmented  by  the 
full  theory  of  that  model.  A  model  of  Presburger  Arithmetic  provides  such  an  exam- 
ple [36].  Even  though  assertions  P  and  Q  may  be  expressed  in  Presburger  Arithmetic, 
the  intermediate  assertions  necessary  to  prove  {P}S{Q}  may  not.  This  results  from 
the  inability  of  Presburger  Arithmetic  to  express  multiplication.  Given  a  program- 
ming language  £  and  assertion  language  L.  a  model  is  expressive  relative  to  C  and 
Z,  if  a  postcondition  Q  can  be  expressed  for  each  assertion  P  and  program  S  [12]. 
Soundness  and  completeness  theorems  for  universal  programming  languages  read 

For  all  expressive  models  M 

^E.TheornM)  {P}S{Q}  ^M^  {P}S{Q}. 

The  above  problems  do  not  interfere  with  the  search  for  Hoare  axioms  and  rules 
that  capture  the  meaning  of  various  programming  constructs.  Bergstra  and  Tucker 
show  that  models  of  PA  are  expressive  for  a  weak  WHILE  language  [4].    However, 


the  following  question  arises.  Can  a  truly  sound  and  complete  verification  system  be 
developed  for  a  powerful  language  which  is  based  on  a  particular  theory? 

Subrecursive  programming  languages  are  languages  whose  programs  compute  only 
a  subset  of  the  class  of  partial  recursive  functions.  Since  there  is  no  reasonable 
theory  which  captures  the  class  of  partial  recursive  functions,  a  language  based  on  a 
particular  theory  would  need  to  be  subrecursive.  There  are  various  classes  of  functions 
and  corresponding  theories.  The  class  of  primitive  recursive,  PR,  functions  and  its 
theory  Primitive  Recursive  Arithmetic.  PRA.  were  chosen  for  this  research.  PRA 
is  an  attractive  theory  because  all  practically  computable  functions  are  primitive 
recursive,  the  axioms  and  rules  of  PRA  are  elegant,  and  primitive  recursion  itself  is 
easy  to  understand. 

This  dissertation  shows  that  a  truly  sound  and  complete  verification  system  can 
be  developed  for  a  computer  language  based  on  PRA.  In  Chapter  2  a  minimal  pro- 
gramming language  and  its  verification  system  is  presented.  The  remaining  chapters 
extend  this  language  into  a  PASCAL-like  language  which  computes  exactly  the  class 
of  PR  functions.  The  result  is  a  powerful  programming  language  where  recurisons 
are  cleanly  nested.  Additional  advantages  of  the  system  presented  is  that  proofs  in 
the  verification  system  are  recursively  enumerable  and  all  programs  halt. 

At  this  stage  the  above  advantages  may  appear  more  theoretical  than  practical. 
They  do,  however,  give  compelling  evidence  that  the  restrictions  on  programming  lan- 
guages presented  in  this  dissertation  are  legitimate  and  may  lead  to  a  more  verifiable 
programming  language. 

The  choice  of  what  computer  language  constructs  to  add  to  the  minimal  PR 
programming  language  is  motivated  by  Clarke  [7].  Clarke  proved  that  there  is  no  rel- 
atively complete  Hoare  system  for  a  language  containing  internal  procedures,  global 
variables,  static  scope,  procedures  as  parameters  and  recursion.    In  Chapter  3  the 


minimal  PR  programming  language  is  extended  to  include  the  declaration  of  tempo- 
rary variables.  In  the  original  PR  programming  language,  work  variables  had  to  be 
treated  as  input  variables.  In  Chapter  4  recursive  parameterless  procedures  are  added 
to  the  language.  In  this  language  variables  are  global  and  static  scope  is  assumed. 
Fairly  severe  restrictions  are  made  so  that  this  language  does  not  lead  outside  of  the 
class  of  PR  functions.  These  restrictions  are  what  make  the  language  so  highly  struc- 
tured. Variable  and  procedure  parameters  are  added  to  the  language  in  Chapter  5. 
The  reference  chain  of  a  procedure  call  is  a  list  of  those  procedures  which  must  be 
understood  in  order  to  understand  this  call.  Olderog  [29]  showed  that  Clarke's  in- 
completeness result  hinges  on  the  possibility  of  a  program  in  the  language  containing 
a  call  with  an  unbounded  reference  chain.  For  this  reason  the  language  in  Chapter  5 
is  restricted  so  that  reference  chains  are  bounded. 

Each  language  is  reported  in  the  same  format.  .4fter  the  syntax  and  semantics  of 
the  language  are  defined,  it  is  shown  that  programs  in  the  language  compute  exactly 
the  class  of  primitive  recursive  functions.  A  Hoare  verification  system  is  presented 
and  in  the  final  sections  it  is  proved  that  this  system  is  sound  and  complete. 


CHAPTER  2 
MINIMAL  PR  PROGRAMMING  LANGUAGE  £pi^ 


2.1     Syntax  of  £ 


PR 


The  tokens  of  Cp^i  programs  include  an  infinite  set.VJ,  of  variable  identifiers 
or  simply  variables.  The  vector  x„  refers  to  a  list  Xi,...,Xn  of  variables.  Addi- 
tionally, there  is  the  constant  0,  the  successor  operator,  s,  and  the  special  tokens 
:=  ,  ;   ,  loop    and    end  . 

An  expression  language  is  used  to  specify  the  expressions  forming  the  right  side 
of  assignment  statements  and  expressions  controlling  loops.  The  set  of  expressions 
is  defined  as  the  closure  of  0  and  x  under  the  successor  operator.  The  more  natural 
notation,  x  +  1,  is  frequently  used  instead  of  s(x). 

The  set  of  program  segments  is  defined  in  Backus-Naur  form  for  variable  identifier 
X  and  expression  e  as  follows: 

S      =      .r  :=  e    I    ^i;  52    I    loop  e;  S*]  end. 

The  variables  which  appear  in  S  and  e  are  denoted  var(5)  and  var(e),  respectively. 

In  subsequent  languages  discussed  variables  may  be  bound.     Variables  which  are 

not  bound  in  S  are  said  to  be  free  with  respect  to  5,  and  are  denoted  free{S).    In 

this  section  {ree(S)  =   var[S).    Nevertheless  the  terms  free{S)  and  var(S)  are  not 

interchangeable  because  this  section  serves  as  a  basis  for  future  languages  where 

free{S)  ^  var{S).  The  free  variables  of  program  segment  S  will  also  be  referred  to  as 

the  active  variables  of  S.  In  the  program  segment  loop  e;  Si  end  it  is  required  that 

var(e)nfree(5i)  =  0. 
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A  program  tt  in  this  primitive  recursive  programming  language  is  a  program 
segment  S  with  the  free  variables  of  S  serving  as  tt's  input  variables  and  a  special 
variable  from  free{S)  serving  as  tt's  output  variable.  Thus  7r  is  given  by  the  pair 
(5, x)  where  x  €.  free{S). 


2.2     Semantics  of  £ 


PR 


The  semantics  of  £pj^  programs  are  given  in  the  style  of  Olderog  [29].  First 
some  preliminary  concepts  are  presented.  An  assertion  language  is  used  to  specify 
predicates  describing  a  program's  behavior.  This  language  is  an  extension  of  the 
expression  language  and  is  a  Hrst-order  language  in  which  PRA  can  be  expressed. 
The  formulas  in  this  language  are  defined  in  the  usual  way.  The  set  of  variables  in 
formula  P  is  denoted  var(P)  and  the  set  of  free  variables  is  denoted  free(P). 

The  meaning  of  the  expressions  and  formulas  of  the  assertion  language  depend 
on  the  interpretation  and  the  values  of  the  free  variables.  States  assign  values  to 
variables.  A  program's  state  is  finite.  It  is  assumed,  however,  that  whenever  reference 
is  made  to  a  variable,  the  state  will  have  a  value  for  that  variable.  Therefore  the  state 
can  be  seen  as  infinite.  This  is  similar  to  seeing  the  Turing  Machine  tape  as  infinite  to 
the  right.  It  is  assumed  that  a  move  to  the  right  never  takes  the  read/write  head  off 
the  end  of  the  tape.  Thus  the  tape  appears  infinite  to  the  right.  For  any  terminating 
program,  however,  the  tape  is  finite.  While  it  simplifies  the  semantics  to  view  states 
as  infinite,  they  must  be  representable  in  each  model  of  PRA.  Therefore  they  must 
be  finite  so  they  can  be  encoded. 

Assume  an  interpretation  J  of  the  language  of  PRA  with  domain  V.  View  the 
state  s  as  a  totally  defined  mapping  s  :  VI  —^  V.  Given  an  interpretation  I  and 
a  state  s,  the  evaluation  of  expression  e,  denoted  2'(e)(s),  and  the  truth  value  of  a 
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formula  P,  denoted  I{P)(s),  are  defined  in  a  standard  way.  Write  \=jg  P  if  J(P)(s) 
is  true.  Write  ^jP  if  hjs  ^  '^  ^-^^^  f^""  every  state  s.  For  theory  T  write  f='p  P  if 
\^jP  holds  for  every  interpretation  I  of  T.  The  set  of  all  states  is  denoted  St.  For  a 
state  s  let  s{d/x}  denote  the  state  resulting  from  replacing  the  value  associated  with 
variable  identifier  x  by  domain  value  d.  That  is  s{d/x}  denotes  the  state  s'  where 

s'{x)  =  d  and  s'{y)  =  s{y)  for  y  ^  x. 

For  a  set  of  variable  X  C  VI  the  restriction  of  s  to  X  is  denoted  sfX.  S'tj(P)  denotes 
the  set  of  all  states  expressed  by  P,  i.e.  Stj{P)  =  [s  such  that    \=jg  P}. 

The  concept  of  substitution  is  developed  next.  Substitutions  can  occur  in  a  variety 
of  situations.  The  terms  general  substitution  and  substitution  will  be  defined.  For 
expression  e,-  and  variable  identifier  x,,  all  x,'s  distinct,  let  />  =  [ej, . . .  ,e„/a;i,.. .  ,a;„], 
or  equivalently  p  =  [e„/f„],  denote  the  mapping 

{(xi,ei),...,(a-„,e„)}  U{(y,y)  |  y  G  Wand  j/  /  x,  1  <  i  <  n}}. 

A  general  substitution  p  is  a.  mapping  where  the  replacement  terms  are  expressions. 
General  substitutions  on  formulas,  Pp,  are  defined  as  usual.  Recall  that  bound 
variables  in  P  have  to  be  renamed  to  avoid  clashes  with  inserted  variables. 

In  many  contexts  variables  may  only  be  replaced  by  other  variables.  Furthermore, 
to  avoid  more  than  one  variable  identifier  referring  to  the  same  variable,  the  variables 
used  as  replacement  variables  must  be  distinct.  Thus  a  general  substitution  p  = 
[e„/f„]  is  called  a  substitution  on  Y  if  each  e,  is  a  variable  identifier  and  for  all 
u,u'  G  V,  p{ii)  —  p{u')  -^  u.  =  u' .  That  is  a  substitution  on  Y'  must  be  injective  on 
Y. 

Let  p  be  a  substitution  on  X.  Define  p  on  a  state  s  by 

sp{x)  —  s(p{x))  for  X  €  X. 
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General  substitutions  are  not  defined  on  states.   The  following  two  lenrunas  link 
general  substitutions  on  formulas  to  replacements  on  states. 
Lemma  1   (Substitution  and  replacement  on  terms.)  For  a  term  r 

I{T[e/x]){s)^J(T){s{J{e){s)/x}). 

Proof:     Prove  this  by  induction  on  the  definition  of  the  term  t.  □ 

Lemma  2  (Substitution  and  replacement  on  formulas.)  For  a  formula  P 

J(P[e/x])(s)^J(P)(s{J(e)(s)/.r}). 

Proof:     Prove  this  by  induction  on  the  definition  of  a  formula  P.  □ 

Corollary  3  For  a  formula  P 

s  e  Stj{P[e/x])  ^  s{I{e){s)/x}  G  %(P). 
Corollary  4   For  a  formula  P  and  y  ^  free(P) 

s  G  StjiP)  ^  s{I{x){s)/y}  G  Stj{P[y/x]). 


Proof: 


seStjiP)     -^    seStj{{P[y/x])[x/y])  y  0  free(P) 

^    s{I{x){s)/y}  G  Stj;{P[y/x])      Corollary  3 


D 
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Appendix  A  describes  the  class  of  PR  functions  on  the  natural  numbers.  For  a 
model  of  PRA  with  domain  T>  call  a  function  f  :  T>  —y  D  PR  if  there  is  a  term  r  in 
the  language  of  PRA  such  that  \/x  £  V  {f{x)  =  t(x)).  To  show  the  existence  of  such 
a  term  show  that  if  V  is  the  set  of  natural  numbers,  iV,  the  function  f  :  N  —y  N  is 
PR. 

For  J  an  interpretation  on  N  and  T(e)(s)  =  n,  let  /^(^)(^)  denote  the  nth  com- 
position of  /.  That  is  f°  =  y  where  Vx{g{x)  =  x)  and  /""''*  —  f  °  /"• 

The  semantics  fs  of  program  segment  S  are  given  as  functions  between  states  as 
follows. 

S  =  X  :=  e 

fsis)  =  assign  j{x,e){s)  =  s{I(e){s)/x] 

S  =  SuS2 

fs{s)  =  compj{fs,Js,){s)  =  fs2  o  /s,  (s) 

5  =  loop  e;  Si  end 


/5(s)  =  ioopj(e,/5,)(s)  =  /J"»^'(5) 


The  functions  compj{fs^ ,  fs-^ )  and  loopj[e,  fs^ )  will  frequently  be  written  compj^Si ,  52) 
and  ioopj(e,  ^i),  respectively. 

Let  X  be  a  finite  subset  of  V'7  and  /  be  a  totally  defined  state  function.  Then  / 
is  called  a  program  function  on  X  if  /  is  PR  and  the  following  properties  hold: 

1.  If  /(s)  =  s'  then  s\{Vl  \  X)  =  s'\{VI  \  X).  This  is  the  stability  property  v/ith 
respect  to  the  variables  VI  \  X. 

2.  If  Si  [X  =  S2\X  then  /(si)[X  =  f{s2)\X.   This  is  the  aloofness  property  with 
respect  to  the  variables  V7  \  X. 

It  will  be  shown  that  state  function  fs  is  a  program  function  on  free{S). 

Let  p  he  a  substitution  on  X  and  /  be  a  state  function  on  X.  Define  /?  on  /  as 
follows. 

1    s(w)  otherwise. 
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Show  that  for  program  segment  S\  syntactical  and  semantical  substitutions  corre- 
spond to  each  other  as  expected. 

Lemma  5  (Pre-Suhstitution  Lemma)  For  an  expression  e  and  a  substitution  p 

I{ep)is)=I{e){sp). 

Proof:     Prove  the  lemma  by  induction  on  an  expression  e.  □ 

Lemma  6  (Substitution  Lemma)  For  a  program  segment  S  and  a  substitution  p  which 
is  injective  on  free{S) 

fspis)  =  fspis). 

Proof:     Prove  the  lemma  by  induction  on  a  program  segment  5". 

S  =  X,  :=  e 

fsp{s)(x)     =     assignj{p{x,).ep){s){x) 
=    {s{I{ep){s)/p{xMx) 
=     (s{I{e){sp)/p{x,})ix) 

I{e){sp)     ifx  =  /9(x,) 

s(x)  \i  X  ^  p{^i) 

2{e){sp)        if  X  =  p{xi) 

sp(p~^ix))    \ix^p(x,) 
=    sp{Iie)isp)/x,}(p-'ix)) 
=    assign  j{x,  ,e)(sp){p-^(x)) 
=    assignj{x,,e)p{s){x) 

S  =  Si;  S2 

The  proof  is  straightforward. 

S  =  loop  e;  5i  end 

First  show  /si/>"(s)(a:)  =  fsii^P)iP~^i^))  ^y  induction  on  n.  Use  this  to  prove 

the  following. 

fsp{s){x)     =     Ioop2;{epJsip){s){x) 


=     ft''''\s)ix) 


=    Ioopj{e, fs,){sp)ip   \x)) 
=     /oopj(e,/5,)p(s)(a;) 
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D 

Lemma  7  For  program  segment  S.  fs  is  a  program  function  on  free{S). 

Proof:     It  is  shown  that  /s  is  PR  for  I  an  interpretation  on  N  in  the  following  section. 
Let  free{S)  =  X. 

To  show  fs  is  stable  with  respect  to  X  prove  that  for  x  G  W\X,  s{x)  =  fs{s){x). 
Since  programs  are  finite  and  there  are  arbitrarily  many  variables  there  is  a  variable 

y  E  VI  \X  where  for  any  state  s,  s{y)  =  fsis){y)-  Let  p  —  [x/y]. 

s(x)     =  sp{y) 

=  fs(sp)(y)        Choice  of  y 

=  {fs)p{s](x) 

—  fsp{s){x)        Substitution  Lemma 

=  fs{s)(x)  X  and  y  are  inactive 

Show  /5  is  aloof  with  respect  to  X  =  {xi Xk}-    Assume  si\X  =  S2fX  and 

X,  G  X.  Let  y  =  {t/i, yk}  where  X  n  V  =  0  and  p  =  [xk/yk]- 

fs(si)(x,)     =  fs(sip){yi) 

=  {fs)p{s,){x,) 

=  fsp{si)(xi)        Substitution  Lemma 

=  si(x,)  X,  inactive  in  5/> 

=  S2(x,)  Assumption 

=  /5p(s2)(x,)        X,  inactive  in  5/9 

=  (fs)p{s2){xt)     Substitution  Lemma 

=  fsis2p){yi) 

=      /5(S2)(X,) 

D 

The  following  properties  of  program  functions  do  not  depend  on  the  syntax  of 

CpYl  3.nd  are  important  in  subsequent  proofs.  Let  f{P)  C  Q  serve  as  an  abbreviation 

for  f{Stj{P))  C  StjiQ). 

Lemma  8  Let  f  and  g  be  program  functions  on  X.  Then 

1.  assign  j{x,e){P)  CQ^  \=jP  ->  Q[e/x]. 

2.  compj{f,g){P)  CQ^  3Y  C  St  such  that  f{P)  C  Y  and  g{Y)  C  Q. 

3.  ioopj(e,/)(P[0/x])  C  P[e/x]  -^  f[P[ylx]  A  0  <  y  <  e)  C  P[s{y)lx]  where  x  ^ 
var(e)  U  X,y  ^  va2-(e,  P)  U  X,  var(e)  n  X  =  0  and  P  is  a  hounded  formula. 
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Proof: 
1. 


assign j{x,e){P)  C  Q 

^  cissignj{x,e){Stj{P))CStj{Q) 

^  Ws{s  e  Stj{P)  -^  assignjix,  e)(s)  G  Stj{Q)) 

^  Wsis  e  StjiP)  ->  s{I{e){s)/x}  e  StjiQ)) 

^  ys{I{P){s)^I{Q){s{I{e){s)/x})) 

^  ys{I{P){s)-^IiQ[e/x]){s)) 

4^  Vs(J(P ->  Q[e/x])(s)) 


compj(f,g)(P)CQ 

^    gof(P)CQ 

^    3Y  est  such  that  f{P)  C  y  and  g{Y)  C  Q 

(Remember  that  /  is  a  totally  defined  function.) 

3.  Let  x,y  ^  X,  y  ^  P  and  t  be  an  arbitrary  state.     Prove  the  following  by 

induction  on  d. 

U\/y<d  hj,t  P[y/^-]  implies    |=J,/(t)  P[s{y)/x] 
then    hj.t  ^[0/x]  implies    l=jJoopj(rf,/)(t)  ^t^/^l- 

For  (f  =  0  hj,t  ^[0/x]  implies  Njjoopj(0, /)(t)  ^[O/^l-  Suppose  J  >  0  and 
\/y  <  d  |=jj  P[y/x]  implies  Nj /"(n  '^[^(j/)/-''^]-  By  the  inductive  hypothe- 
sis (=j_j  P[0/x]  implies  \=xjoopj{d-  lj)(t)   ^('^  ~  ^/-^^  '^^^^  ^^  equivalent 

^°  Nj,/(. . .  /(t))  P[^r^(0))/-i-]  which  implies  [=jj(. . .  ^^^^j  P[s(-  •  •  s(0))/x]. 

This  is  equivalent  to  hjjoopj{(/, /)(t)  ^t'^/^^ 

For  X(e)(s)  =  d,  x,y  ^  var(e),  var(e)  n  X  =  0  and  P  a  bounded  formula  the 


above  uses  bounded  induction  to  show 

If   hj,t  P{y/x]  A  0  <  y  <  e  implies    hj,/(t)  PHy)/^] 
then    hj.t  ^[0/^]  implies    t=J.ioopj(e,/)(t)  ^t^/^l- 
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Given  an  Cp^i  program  x  =  {S,x,)  where  free{S)  =  {xi, . . .  ,Xfc},  the  meaning  of 
TT  is  the  program  function  fs  interpreted  as  follows:  given  fs{s)  =  s'  then  for  inputs 

s{Xi),.  .  .  ,s{Xk),         TT  outputs   s'(Xj). 

2.3     'Cpj^  Computes  the  Class  of  PR  Functions 

A  series  of  classes  of  PR  functions  will  be  defined,  each  class  in  terms  of  the 
previous  class.  The  final  set  represents  the  functions  computed  by  Cp^l  programs. 
This  class  is  equivalent  to  the  PR  functions. 

Throughout  the  remainder  of  this  chapter  underlined  variables  will  denote  hard- 
coded  values.  That  is,  given  a  pair  (o^  x,),  Xj_  is  to  be  replaced  by  a  variable  identifier 
at  definition  time.  The  second  x,  in  the  pair  is  a  regular  variable  which  stands  for  an 
arbitrary  domain  value. 

Assume  an  interpretation  J  of  PRA  with  domain  P.  Let  X  =  {xi,. . .  ,Xk}  be 
a  finite  set  of  variables  and  for  each  variable  x,  there  is  a  domain  value  d,  where 
s(j,)  =  di.  Write  s\X  =  {{xi  di)---{xk  d^)).  If  the  variable  identifiers  also  come 
from  V  this  list  can  be  coded  and  decoded  within  X  such  that  for  s\X  as  above,  c  a 
coding  function  and  {x)x,  decoding  functions, 

c{(xj_di)---{x^dk))  =  X   ^   {x)x^  =  d,     l<i<k. 

Notice  that  a  set  of  coding  and  decoding  functions  is  being  defined.  A  different 
coding  function,  and  set  of  decoding  functions,  is  being  defined  for  each  set  of  variable 
identifiers  X. 

Let  c{xi,  dk)  serve  as  an  abbreviation  for  c((xi_  di)  ■  ■  ■  {xk_  dk))-  Call  x  =  cixj,  dk) 
a  state  code  on  X  =  {xi,...,x^;}  and  write  var{x)  =  X.   There  is  a  PR  predicate 
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which  takes  a  set  of  variables  Y  and  a  state  code  x  and  determines  if  Y  C  var{x). 
Cutland  [13,  page  41]  provides  an  example  of  such  a  predicate. 

State  codes  are  domain  objects  which  encode  a  portion  of  a  state.  The  theory 
of  PRA  is  typically  defined  with  a  single  type  of  object.  Therefore  states  must  be 
coded  into  this  type  of  object.  An  alternative  would  be  to  define  PRA  to  be  multi- 
typed.  That  is.  define  PRA  so  that  its  models  contain  not  only  base  elements  but 
more  complex  elements  such  as  sets  or  sequences  as  well.  The  details  explode  in  the 
formalization  of  either  method.  Encoding  states  into  state  codes  is  a  straightforward 
approach. 

For  expression  e  in  an  CpYl  program  define  (/e  :  P  — >  P,  relative  to  X,  by  recursion 
as  follows. 

e  =  X,     ge{x)  =  (x)a^ 

e  =  s(ei)     ge{x)  =  geA^)  +  ^ 

Notice  that  ge  is  a  PR  function  where  (7e(c(s[X))  =  J(e)(s). 

For  each  variable  identifier  x,  define  the  function  seti-,  such  that 

r   c((xi_(j)j,-i)---(.r^(j)r._J 
set^,{'^,x)=  I     (£,5e(.i-))(£H:i(-i-)r^)---(£i(-i-)xA,))     if  x,  €  uar(  j) 
[  X  otherwise. 

Lemma  9  For  expression  e.    state  s   and  coding  function  c   where  var{e)    C    X    = 

{xi,...,Xk} 

sei:,,{e,c{s\X))  =  c{s{J(e)(s)/a;,}  [X). 
Proof:     The  proof  is  a  straightforward  application  of  the  definitions.  □ 
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For  program  segment  5  in  an  £pf{  program  define  gs  '■  'D  ^^  T>,  relative  to  Z,  by 
recursion  as  follows. 

S  =  X,  :- e     gs{x)  =  setr,{e,x) 

S  =  Si;S2     gsi^)  =  gs^igsA-^)) 

S  =  loop  e;  5i  end     gs{x)  =  glf'^^x) 
Lemma  10   The  function  gs  is  PR  and  for  free{S)  =  X 

gs{cis\X))  =  c{fs{s)\X). 

Proof:     Clearly  55  is  PR.  Using  Lemma  9  prove  the  equality  by  induction  on  program 
segment  S. 

S  =  Xi  :=  e 

gs{cis\X))     =    set^Xe,c{s\X)) 

=    c(s{J(e)(s)/x.}rX) 
=    c{fsis)\X) 

S  =  SuS2 

The  proof  is  straightforward. 

S  =  loop  e;  5i  end 

First  prove  5^^  (c(s|"A'))  =  c(/J  (s)[A')  by  induction  on  d.    Use  this  result  to 


prove  the  following. 


gs(c(s\X))    =    4^'^'^^^'"(c(s[X)) 
J(e)(s), 


=     cifl^'''^\s)\X) 
=    c{fs(s)\X) 


n 
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Given  program  segment  5  with  its  meaning  function  /s,  gs  is  a  PR  function 
tightly  tied  to  /s.  While  fs  :  St  ->  St,  gs  :  T>  -^  V.  Given  fs{s)  =  s'  for  fs 
defined  on  variables  X,  gsic{s\X))  =  c{s'\X).  Since  gs  is  PR,  any  assertion  language 
in  which  PRA  can  be  expressed  will  have  a  term  corresponding  to  gs-  This  is  the 
central  advantage  of  this  system.  For  any  program  segment  S  there  will  be  a  term 
T<;  in  the  assertion  language  which  describes  the  behavior  of  S.  Specifically,  given  a 
domain  element  x  which  codes  the  variable  values  going  into  a  program,  ts{x)  codes 
the  values  upon  exiting  that  program. 

Next  define  functions  which  simulate  ^pp  program  tt.  Given  tt  =  (5", x,)  with 
free(5)  =  A'  define  g^  :  V  —*  D  us  follows: 

gAc(s\X))  =  {9s{c{slX)))^. 
Lemma  11  For  tt  =  (5,  Xj)  with  free{S)  =  X,  g^  is  a  PR  function  where 

gAc{s\X))  =  fs{s){x^). 

Proof:     Clearly  g^  is  PR.  The  equality  follows  from  Lemma  10.  □ 

Finally,  given  a  program  tt  =  (5,  x-)  with  free{S)  —  X,  and  given  a  state  s  where 
s\X  =  ((xj^  d\)-  ■  ■  {xk_  dk)),  define  hj^  :  D^  — >  D  as  follows: 

h„{du...,dk)  =5;r(c(s[X)). 
Lemma  12  The  function  h^  is  a  PR  function  where 

h^dx,. .  .,4)  =  fs{s){x,). 

Proof:     Clearly  h-,^  is  PR.  The  equality  follows  from  Lemma  11.   d 

Theorem  13  The  class  of  functions  computed  by  Cpp  programs  is  the  class  of  PR 
functions. 
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Proof:  Lemma  12  guarantees  that  all  functions  computed  by  >Cpj^  programs  are  PR. 
It  will  be  shown  that  all  PR  functions  are  computed  by  some  Cp^  program.  The 
class  of  PR  functions  is  the  closure  of  the  functions  Xx.O,  Xx.x  +  1,  and  Xx^.Xi  for 
1  <  i  <  A:,  k  >  I  under  composition  and  primitive  recursion.  The  functions  Xx.O  and 
Ax.x  +  1  are  computed  by  the  -Cpo  programs  n  =  {x  :—  0,  x)  and  tt  —  [x  :=  x  +  l,x). 
For  1  <  ?'  <  A',  A-  >  1  the  function  Xx^.x,  is  computed  by  tt  =  {S,  x^)  for  S  as  follows. 


bl  Xi    '. —  Xi 


Xfc 
X, 


=  Xk 
=  X, 


Before  continuing  it  will  be  useful  to  define  a  condensed  notation  for  the  -Cpp 
statements  to  copy  the  values  of  n  variables  to  a  distinct  group  of  n  variables.  Let 
the  >Cpp)  statements 

^  s    •         **■  p 
X,+l    '■=  Xp+i 

X s+n    •        Xp^ji 

be  denoted 

Suppose  PR  function  /  is  defined  by  composition  as  /  =  /i  o  (^j, . . .  ,^„)  where 
f,gi., . . .  ,gm  are  n-place  functions  and  h  is  an  ?7i-place  function.  Furthermore  say  h  is 
computed  by  the  £pj^  program  tt//  =  (H,y;)  where  free{H)  =  V  =  {j/i,  •  •  • ,  ym},  and 
each  g,  is  computed  by  the  program  tt^,  =  (G,,  x,)  where  free{Gi)  =  X  =  {xi, . . . ,  x„}. 
Without  loss  of  generality  say  X,  Y  and  {ui,...,u„}  are  non-overlapping  sets  of 
variables.  Then  the  Cp^  program  kj  =  (F,y,)  where  free{F)  =  X  computes  /  for 
F  defined  as  follows. 
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F:        ui, . . . ,  u„  <—  xi, . . . ,  x„  /*  save  a  copy  of  F's  input  values  */ 

Gi  I*  run  G'l  on  £„  */ 

j/i  :=  T,  I*  save  G/s  output  */ 

/*  Repeat  the  following  3  lines  for  j  =  2, . . . ,  m  */ 

xi, . . . , x„  *—  ui, . . . ,  u„  /*  get  a  fresh  copy  of  £„  */ 

Gi  I*  run  G',  on  x„  */ 

y,-  :=  X,  /*  save  G,'s  output  */ 

/*  Finish  up  "/ 

H  /*  run  F  on  output  of  Gi , . . . ,  G,,  */ 

Suppose  PR  function  /  is  defined  by  primitive  recursion  as 

/(0,y„)  =  M<7n) 
/(x  +  l,t7,J  =  g{x.yn,f{x,yn)). 

Furthermore  say  h  is  computed  b\f  the  £pj^  program  tt/i  =  {H.y^)  where  free{H)  = 

Y   =    {j/i, y„},   and  </  is  computed  by  the  ^pj^  program  Tg   =    (G,v)  where 

free{G)  =  yu{yn+i,(;}.  Without  loss  of  generality  say  {x},  yu{?/„+i),  {u}  and  {tii, . . . ,  u„+i 

are  non-overlapping  sets  of  variables.    Then  the  £pj^  program  iCf  —  {F,v)  where 

free{F)  =  {x}  U  Y  computes  /  for  F  as  follows. 

F:        ui, . . . ,  Un  <—//!,...,  (/n  /*  save  a  copy  of  F's  input  values  */ 

/*  run  H  on  y„  */ 
/*save/(0,y„)7 
/*  counter,  0  to  x  */ 

/*  update  counter  */ 
. ,  u„^l*  get  a  fresh  copy  of  inputs  for  G  */ 

/*  run  G  on  (counter.  y„, /(counter,  y„))  */ 

Thus  there  is  a  program  in  Cp^i  which  computes  every  PR  function.  □ 


2.4     Verification  of  Cp^i  Programs 

A.  Hoare-type  verification  system,  Wpj^,  is  defined  as  a  set  of  axioms  and  rules 
augmented  by  PRA.  Proof  lines  are  formulas  in  the  assertion  language  or  Hoare 
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statements  {P}S{Q}.  Proof  rules  are  of  the  form 

^1  ■  •  •  1  ^n 

This  rules  says  that  if  statements  /i, . . . ,  /„  are  provable  then  /„+i  is  provable.   The 
axioms  and  rules  of  Wpp  are  as  follows. 


Assignment  Axiom 


Composition  Rule 


{P[e/x]}x:=e{P} 


{P}S,{R]AR]SAQ} 
{P}SuS2{Q} 

Iteration  Rule 

{P[y/x]AO<y<e}S{P[y+l/x]} 
{P[0/x]}loop  e;  5  end{P[e/a,-]} 

for  X  ^  var(e)  U  free(S)  and  y  ^  (var(e)  U  free(S')  U  free{P)). 

Consequence  Rule 

P.  ^  P{P}S{Q],Q^Q, 
{I\}S{Q^} 

Hoare  proofs  are  frequently  developed  backwards.  That  is,  one  starts  with  what 
is  to  be  proved  and  works  backwards  to  a  list  of  a.xioms.  Let  the  following  indicate 
that  Hoare  triple  A  is  provable  from  Hoare  triple  B  using  the  given  rule. 

A 

T 
Rule 

B 
When  the  Consequence  Rule  is  used  additional  information  is  needed  to  show  the 
implications.  Let  the  following  indicate  that  {Pi}S{Qi}  is  provable  from  {P}S{Q} 
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using  the  Consequence  Rule. 

{Pi]S{Qr} 

T 

a  I  Consequence  Rule  1  b 

{P]S{Q} 
The  proof  that  l~pj^y\^   Pi   —*   P  and  l~pj^^   Q  —^  Qi  can  be  given  following  the 
backward  proof.  If  given,  these  proofs  will  be  labeled  a  and  6,  respectively. 

2.5     Soundness  of  Wpp 

Verification  system  Hpj^  is  sound  if,  for  every  interpretation  I  of  PRA,  whenever 
{P}S{Q}  is  provable  in  Hpj^  then  {P}S{Q}  is  true  with  respect  to  J.  A  problem 
arises  because  PRA  allows  induction  on  bounded  formulas  yet,  as  it  stands,  the  Iter- 
ation Rule  allows  induction  on  arbitrary  formulas.  This  is  an  unusual  case  where  the 
syntax,  specifically  the  Iteration  Rule,  is  stronger  than  the  semantics.  Let  E„  denote 
the  class  of  formulas  which  can  be  written  in  the  form  3fiVx23x3  •  •  •  Vx„(?i>(xi, . . . ,  x„) 
or  3xi VX23.T3  •  •  •  3x„(^(xi , . . . .  x„ )  where  0  is  quantifier  free.  The  Iteration  Rule  where 
the  loop  invariant  is  a  formula  from  S„,  will  be  referred  to  as  the  S„-Iteration  Rule. 

The  relation  between  T  and  tlie  Iteration  Rule  is  given  in  the  following  lemma. 

Lemma  I4  For  a  complete  theory  T  ^PRA  and  a  Hoare  System  H  which  includes 
the  Assignment  Axiom,  Consequence  and  Composition  Rule 

1.  Y^n- iteration  Rule  is  sound  =^  T  h  Yn-induction 

2.  T  \-  T,ri+i -induction  =^  Y„-Iteration  Rule  is  sound 

Proof: 

1.  Assume  the  S„-Iteration  Rule  is  sound  and  for  P  G  S„,  P{0)  and  Vx(P(x)  -^ 
P(x  +1))  are  in  T.  It  will  be  shown  that  T  \-  P(a)  for  a  new  constant  a.  Therefore 
T  \-  VxP(x),  and  by  the  deduction  rule  T  H  (P(O)AVx(P(x)  -^  P(x  +  1)))  ->  VxP(x). 
All  that  is  left  to  prove  is  T  h  P{a). 
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First  it  will  be  proven  that  for  i  ^  free{P) 

h-^{P[0/x])z  :=  0;  loop  a;  i  :=  ?  +  1  end{P[a/x]}. 


{P[0/x]}i  :=  0;  loop  a;  i  :=  i  +  1  end{P[a/x]} 

T 

Consequence  Rule 

I 
{(/'[O/.r]  A  I  =  0)[0/i]}i  :=  0:  loop  a;  i  :=  i  +  I  end{P[a/a:]  A  ?  =  a} 

; 

Composition  Rule 

i 
{{P[0/x]  A  I  =  0)[0/t]]i  :=  0  {P[0/x]  A  i  =  Ojloop  a;i  :=  i  +  1  end 

{P[0/x]Ai  =  0}  '  {P[a/x]Ai=a} 

Assignment  Axiom  "[■ 

Iteration  Rule 
loop  invariant:  P[u/x]  A  i  =  u 

I 
{P[y/x]  Ai  =  yAO<y<a}i:=i+l 

{P[y  +  l/x]Ai=y  +  l} 

T 

a  I  Consequence  Rule 

I 
{{P[y  +  l/x]  Ai  =  y+  l)[i  +  l/^]}^  :=  ^  +  1 

{P[y  +  l/x]Ai  =  y  +  l} 

Assignment  Axiom 


The  proot  of  implication  a  is  as  follows. 

P[y/x]  At  =  yAO<y<a 
^  P[y+l/x]Ai=y 
=>  P[y  +  l/x]Ai  +  l  =y  +  l 
^{P[y+  \/x]Ai  =  y+l)[i  +  l/t] 
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It  has  been  assumed  that  the  rules  utitlized  in  this  proof  are  sound.    Therefore 
for  any  interpretation  J  of  T  where  i  0  free{P) 

T  \=j  {P[0/x]}i  :=  0;  loop  a;i:=i  +  l  end{P[a/x]}. 

That  is,  the  following  holds  in  T 

ys{s  6  Stj{P[0/x])  —>■  compj(assjgnj(z',0),ioopj(a,assignj(i,i  +  l)))(s)  G  Stj{P[a/x]). 

It  is  assumed  that  T  \=j  P[0/x].  so  the  implicand  holds  for  any  state  s.  Program 
functions  are  stable  and  i  ^  fvee(P)  so  for  any  state  s,  s  G  Stj{P[a/x]).  Therefore 
T  \=2  P[a/x]  and  since  T  is  complete  T  h  P{a). 

2.  Assume  T  h  S„+i -induction.  The  proof  of  the  soundness  of  the  Iteration  Rule 
results  from  the  following  for  formula  P,  program  function  /  on  X  and  expression  e 
where  x  ^  var(e)  U  X,  y  ^  var(e.  P)  U  X  and  var(e)  fl  .Y  =  0. 

f{P[y/x]  A  0  <  y  <  e)  C  P[s(y)/x]  ^  loopjieJ){P[0/x])  C  P[e/x] 

The  proof  of  this  is  the  same  as  the  proof  of  Lemma  8  part  3  with  the  exception  that 
for  P  G  S„,  S„+i -induction  is  used  rather  than  bounded  induction. 

a 

If  one  limits  oneself  to  working  in  the  natural  numbers  A'^  standard  induction 
holds.  That  is.  for  any  formula  P 

P(0)  AV.r(P(x)  ^  P{x  +  l))  ^  VxG  X  iP{x)). 

Theoretically,  however,  there  are  models  of  PRA  for  which  standard  induction  does 
not  hold.  Therefore  it  is  possible  to  define  a  model  where  utilizing  the  unbounded 
Iteration  Rule  allows  a  false  conclusion  to  be  proved.  Such  a  model  will  be  non- 
standard. 
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Peano  Arithmetic  (PA)  is  a  stronger  theory  than  PRA.  In  addition  to  the  axioms 
of  PRA,  PA  contains  an  induction  axiom  for  every  first  order  formula.  PRA  only 
allows  induction  on  bounded  formulas.  Thus  every  model  of  PA  is  also  a  model  of 
PRA.  The  problem  is  that  the  models  of  PRA  which  are  not  also  models  of  PA  behave 
in  an  unexpected  way.  One  such  model  is  developed  in  Appendix  C.  In  that  appendix 
it  is  shown  that  the  model  developed  is  a  model  of  PRA.  An  element,  obtained  via 
Ackermann's  function,  is  given  which  is  not  in  this  model.  Finally  it  is  shown  that, 
using  the  E^-Iteration  Rule,  it  can  be  incorrectly  proven  that  this  element  is  in  the 
model. 

There  are  two  ways  to  handle  the  mismatch  between  PRA's  induction  axiom  and 
"Hpj^'s  Iteration  Rule.  One  of  the  motivations  of  this  research  was  to  develope  a 
system  with  a  clean  Soundness  and  Completeness  Theorem.  That  is,  to  develope  a 
system  where  the  Soundness  and  Completeness  Theorem  reads 

^PRA  {P}S{Q}'^^'Hp^{P}S{Q}. 

To  create  a  sound  system  which  maintains  this  clean  separation  between  semantics 

and  syntax,  loop  invariants  must  be  bounded.  Recall  that  within  the  natural  numbers 

full  induction  holds  so  this  restriction  can  be  ignored. 

.\nother  way  to  handle  this  mismatch  is  to  prove  a  weaker  Soundness  Theorem. 

This  Soundness  Theorem  would  disallow  those  models  of  PRA  for  which  full  induction 

does  not  hold.  That  is,  the  Soundness  Theorem  would  be  restricted  to  models  of  PA. 

This  is  the  approach  chosen  in  this  research.     Notice  that  this  restriction  is  only 

required  for  the  Soundness  Theorem.  The  Completeness  Theorem  does  not  require  a 

similar  restriction. 

Theorem  15  (Soundness)  For  a  Hoare  triple  {P}S{Q} 
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Proof:     Prove  this  by  induction  on  the  proof  system  "Hpj^.  Let  T  be  an  interpretation 
of  PA. 

Assignment  Axiom: 

\=jP[e/x]  — >  P[e/x].  Therefore  by  Lemma  8,  assignj{x ,  e){P[e/ x])  C  P.  Thus 
^j{P[e/x]}x:=e{P}. 

Composition  Rule: 

Assume  h^p^{P}5i;  SilQ}.  In  that  proof  H-^pj^{P}5i{i?}  and 

l--^       {R}S2{Q}.  Bytheinductivehypothesis^j{P}5i{i?}and[=j{i?}52{g}. 

Thus  there  is  a  set  of  states  Y  where  /s,  (P)  C  }•"  and  fs^i^)  Q  Q,  namely 

Y   =   Stj(R).  Therefore  by  Lemma  8,   compj[S\,S2){P)    Q   Q  which  gives 

^j{P]Sr;S,{Q}. 

Iteration  Rule: 

Assume  H:^pD  {P[0/i-]}loop  e;  5  end{P[e/x]}.  In  that  proof  ^fipT,  {Plv/^]  ^ 
0  <  >j  <  e}S{P[s{y)/x]}  for  x  ^  rar(e)  U  free{S)  and  y  ^  var(e)  U  free{S)  U 
free{P).  By  the  inductive  hypothesis  \=j{P[y/x]  A  0  <  y  <  e}S{P[s{y)/x]}. 
Thus  fs{P[y/x]  A  0  <  y  <  e)  C  P[s{y)/x].  Therefore  by  Lemma  8. 
Ioopj{e,S){P[0/x])  C  P[e/x]  which  gives  ^j{P[0/a;]}loop  e;  5  end 
{P[e/x]}. 

Consequence  Rule: 

Assume  ^np^{Pi}S{Q^}.  In  that  proof  ^Hp^^^  ^  ^-  ^-Hpr{^)-^{^) 
and  h-^  r>Q  ~^  Qi-  Therefore  for  any  interpretation  J  of  PRA  h=jA  — ^  P 
and  \=jQ  — >  (5i-  I3y  the  inductive  hypothesis  \=j{P}S{Q}.  Equivalently 
StjiPi)  C  Stj{P)JsiStj{P))  C  Sf.j(Q),  and5tj((5)  C  StjiQi).  Putting 
these  together  yields  fsiStjiPi))  C  StjlQi).  Thus  |=j{Pi}5{Qi}- 
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a 


2.6     Completeness  of  "Wpp 

The  verification  system  is  shown  to  be  complete  as  follows.  Given  program  seg- 
ment 5  and  assertion  P  the  existence  of  a  Strongest  Postcondition,  SPC,  of  S  and  P 
is  shown.  The  SPC  Theorem  shows  that  there  is  a  SPC  Q  such  that  hl{P}S{Q} 
and  for  any  valid  Hoare  triple  \=j{P}S{R},  ^jQ  -^  /?.  Given  program  segment  S 
and  assertion  P  the  provability  of  a  SPC  Hoare  triple  is  also  shown.  For  any  valid 
Hoare  triple  {P}S{R},  h-^^  {P}S{R}  is  proven  by  applying  the  Consequence  Rule 
to  the  SPC  Hoare  triple. 

Towards  this  end  it  must  be  possible  to  translate  a  Hoare  triple  into  a  PRA 
formula  and  vice  versa.    It  will  be  shown  that  for  I  [=  PRA  and  a  Hoare  triple 

{P}S{Q} 

^l{P}S{Q}  ^  hjVx(P+(.r)  -.  Q^igsix))) 

where  P+  and  Q+  are  formulas  on  state  codes  obtained  from  P  and  Q,  and  gs  is  the 
PR  function  corresponding  to  program  segment  5,  possibly  extended  to  operate  on 
state  codes  of  a  larger  set  of  variables  than  those  in  free{S).  It  is  interesting  to  note 
that  a  syntactic  version  of  the  above  statement  does  not  hold.  It  is  true  that 

^-^PR  {P}S{Q]  -^  hpj^^  V,r(P+(a-)  -.  Q^igsix))). 
However  the  proof  that 

^^PR  ^^^^^'^^  =^  ^PRA  Vx(P+(.r)  ^  Q^igsix))) 

depends  on  the  soundness  of  Hpj^.  Since  for  unbounded  formulas  P  and  Q  the  It- 
eration Rule  may  not  be  sound,  ("TYpR  {P}S{Q}  "^ay  be  provable  while  Va:(P+(a:)  -> 
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Q'^igsi^)))  does  not  hold  in  all  models  of  PRA.  The  statement  \/x{P'^{x)  —>■  Q'^{gs{x))) 
would  hold  in  models  of  Peano  Arithmetic.  If  it  is  required  that  pre-  and  postcondi- 
tions be  bounded  whenever  the  Iteration  Rule  is  utilized,  a  syntactic  version  of  the 
statement  holds. 

First  a  set  of  terms  and  predicates  on  state  codes  are  defined.  Recall  the  PR 
coding  and  decoding  functions  for  a  state  s  restricted  to  a  set  of  variables  X.  Also 
recall  that  for  any  set  of  variables  A'  there  is  a  PR  predicate  which  takes  a  state  code 
z  and  determines  if  X  C  var{z).  Given  a  term  r  with  var(T)  =  A"  define  the  term  r"*" 
by 

T^{x)  = 


.+/  .^  _  J    ^ii^')^ i^)xk)     if  >^  ^  ^M^} 


undefined  otherwise. 

Given  a  formula  P  with  free{P)  =  X  =  { Ji, . . . ,  Xk}  define  the  predicate  P"*"  by 

P+{x)  holds    ^  X  C  var{x)  A  P({x)x^, . . . ,  (x)^^). 

Notice  that  for  all  x,  P+{x\X)  ^  P+(x). 

Functions  on  state  codes  can  be  extended  to  functions  on  state  codes  of  a  larger  set 

of  variables.  Let  X  and  V  be  sets  of  variables  where  X  C  Y  and  X  =  {xj, . . .  ,Xk}. 

For  state  code  z  defined  on   W  let  z\X  =  c{{xj_  (r)j-] )  ■  •  •  (x^  (c)^/^))-    Say  ^  is  a 

function  defined  from  the  state  code  of  X  to  a  domain  value.    Define  g  from  g  by 

g[z)  ■=  g{z\X).  Notice  that  g  is  defined  from  the  state  codes  of  V to  a  domain  value. 

Say  5  is  a  function  defined  on  the  state  codes  of  X.  Define  g  from  g  by 

(.(,^y    _/  (5(~~[A'))^    if«^eA' 
ygKZ)}yL-  I   (^)^  otherwise 

Notice  that  g  is  defined  on  the  state  codes  of  Y.  Throughout  the  remainder  of  this 

work  extended  functions  will  not  be  distinguished  from  their  original  functions. 

To  simplify  the  notation  let  v  represent  the  set  of  variables  X  =  {xi, . . .  ,Xfc}. 

That  is.  let  i/  be  a  function  on  {1, k]  where  u{i)  =  x,.   For  P((x)xi^, . . . ,  (x)x^) 

write  P((x)j^). 
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Lemma  16  For  formulas  P,Q  where  free(P)  =  free{Q)  =  X  =   {xi,...,Xk}   and  a 
total  function  f  defined  on  the  state  codes  of  X, 

t 
Hp^^Vx(P+(.r)^g+(/(a:))). 

Proof:     The  proof  is  a  straightforward  application  of  the  definition.  □ 

Lemma  11  For  I  \=  PRA,  a  formula  P,  a  state  s  and  c  the  coding  function 

I{P){s)  holds   ^  P+{x)  holds  for  X  =  cis\free{P)). 

Proof:     The  proof  is  a  straightforward  application  of  the  definitions.   □ 

Lemma  18  Fori  \=  PRA  and  Hoare  formula  {P}S{Q]   where  free{S)  C  freeiP)  = 
free{Q) 

hj  {P}S{Q}  ^hj  V.r(P+(.r)  -.  Q^igsix))). 

Proof:     Say  /ree(5)  C  free{P)  =  free(Q)  =  X  =  {xi, . . . ,  x^}. 
(^)  Assunie  ysis  e  Stj{P)  -^  fs{s)  e  StjiQ)). 

^  I{P){s)  for  any  s  where  x  =  c(s[X) 

^  s  e  Stj(P) 

=>  .fs{s)eStj(Q) 

=>  Qifs{s){x,) fsis)ix,)) 

=>  Q{ic(fs{s)\X))^) 

^   Qi{gs{cis\X))i) 

=>     >^Qyar{gs){x)AQ{{gs{x)),) 

=^   Q^igsix)) 

(^)  Assume  hjVx(P+(.r)  ^  Q^(gs{.c))). 

s  e  StjiP) 

=>     I{P){s) 

^     P+(x)  for  x  =  c(s[X) 

=>   Q^{gs(x)) 
=^   Q^igs(c{s\X))) 

=>    Q^icifsis)\X)) 

^    Qi{c{fs{s)\X)U 

=^     Qifsis)(x,),....fs(s){xk)) 

=>   fs{s)eStj(Q) 
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The  concept  of  substitutions  is  extended  to  apply  to  state  codes  and  PR  functions 
on  those  state  codes.  As  expected,  substitutions  on  state  codes  are  defined  similarly 
to  substitutions  on  states,  and  substitutions  on  the  PR  functions  of  state  codes  are 
defined  similarly  to  substitutions  on  program  functions.  Say  p  is  a.  substitution  on 
X.  For  z  a  state  code  on  the  variables  p{X)  define  p  on  2  by 

{zp)x-  i  =  )p{r)_  for  X  e  X. 
For  PR  function  g,  defined  from  a  state  code  of  X  to  a  domain  value,  define  p  on  g 

by 

9P{2)  =9{=p)- 
For  any  PR  function  g,  defined  on  the  state  codes  of  X,  define  p  on  ^r  by 

igp{2))p(r)_  =  {g{^p))x  for  X  E  X. 

Notice  that  for  p  a  substitution  on  X  and  g  defned  on  state  codes  of  X,  gp  is  defined 
on  state  codes  of  p{X). 

Lemma  19  (Composition  of  substituted  functions)  For  PR  functions  g^  and  g2  defined 
on  state  codes  of  X  and  p  a  substitution  on  X 

92p{gip{z))  =  {g2  ogi)p(z). 

Proof:     The  proof  is  a  straightforward  application  of  the  definitions.  □ 

Lemma  20  (Substitution  on  state  code  formulas)  For  formula  P  and  substitution  p 

Proof:     First  prove  {Tp)'^(x)  <=>  r'^ixp)  by  induction  on  the  term  r.  Then  prove  the 
lemma  bv  induction  on  formula  P.  □ 
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Lemma  21  For  a  function  f  defined  on  the  state  codes  of  {xi, . . . .  Xfc}  and  p  =  [yt/xt] 
^PRA  ^^  ^  ^■(■^'  =  y')  -^  ^^  ^  H[f{c{lk  Sk)))x^  =  {fp{c[y_^  yk)))y^)- 

Proof:     Assume  Xi  =  jji  for  I  <  i  <  k,  then 

{fp{c{l^  !Jk)))yi_ 

=     ifp{ci{yiyi)---{y±yk)ixj_Zi)---{xj^Zk))))y^  Extend/ 

=     ific{{yj_  yi)  •  •  •  (yfc  yk)i^  ~i)---{£k_  Zk))p))x^  Def.  p  on  func. 

=     {f{ci{y±yi)---{yk^yk)(xj_y\)---{xi^yk))))x^  Def.  p  on  state  code 

=     ificiik  yk)))x^  Reduce  / 

=    /(c(xj(.  Xk))xi  Assumption 


Corollary  22  For  a  function  g  which  takes  the  state  codes  of  {xi, .  .  . ,  Xk}  to  a  domain 
element  and  p  =  [yk/xk] 

^PRA  ^^  ^  ^■(^''  =  y<)  ^  g{c(l.k  Xk))  =  gp{c{y_^  yk)). 

Theorem  23  (Strongest  Postcondition   Theorem)  Given  program  segment  S  and  as- 
sertion P  with  free{S)  C  free(P)  =  {xi, .  .  .  .x^},  the  SPC  of  S  and  P  is 

Q  =  3y,(V?:  <  A-(x,  =  {gsp{y))iu)  A  Pp) 

where  p  =  [yk/xk]  and  y  =  c{{yj_  (/i )  •  •  •  (yt  ^i))- 

That  is  the  following  hold: 

^-  ^PRA  {ns{Q} 

-•  \-pRA{ns{R}^^pRAQ-^R 


Proof:     Let  p  =  [yk/xk]  and  X  =  {xj, ....  x^}.  In  the  following  assume  i  ranges  from 
1  to  k. 
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s  G  Stj{P) 

=j>  P+{c{s\X))  Lemma  17 

=>  i3yk{x,=y,APp))+{cis\X)) 

^  {3yki(gs{x))x^=  {9sp{y))y^A  Pp)r{c{s\X))  where 

X  =  c((xi_xi)---  (xfc  Xfc))  and  j/  =  c((yi_  i/i)  •  •  ■  (y^  j/t))     Lemma  21 

=^  3y^((55(c(srx)))x,  =  (^sMy))y.  AP/J) 

^  3y,((c(/s(s)rX))x,  =  (5sp(y))y,APp)  Lemma  10 

=^  (3y,{x.  =  (ff5/>(y))y,AP/.))+(c(/5(s)rX)) 

^  /5(s)  G  Stj(g). 

2.  Assume  Vs(s   G    S(j(P)    -^   /5(s)    G    Stj(R)).  By  Lemma  18  Vx(P+(x)   -^ 
^■^(55(2:))).  Say  J/  =  c((yi^yi)---(yfc  yfc)). 

3y<:(x,  =  (<7s/?(y))y,  A  Pp) 

=>     3yA-(x.  =  (<7sp(y))y,  A  (PpViy)) 
=>     3y,(x.  =  (55(y/'))£,AP+(y/>)) 
=>    3yi.(x.  =  {gs{yp))x^  A  R'^igsiyp))) 

=»     /?+(x)  for  X  =  c((xi^xi)  •  ■  •  (xfc  Xfc)) 
=>     /? 

D 

In  the  SPC  Theorem  it  is  assumed  that  free{S)  C  free{P).  Notice  that  this  situation 
is  easily  created  by  adding  useless  equaHties  to  formula  P. 

A  note  similar  to  the  one  concerning  Lemma  18  may  apply  to  the  SPC  Theorem. 
That  is,  a  syntactic  version  of  the  SPC  Theorem  may  not  hold.  For  Q  defined  as  in 
the  SPC  Theorem  it  can  be  shown  that  l-^^pp  {P]S{Q}.  However  the  proof  given 
that  h-^  {P}S{R}  =>l~pr{A  Q  ^  R  depends  on  the  soundness  of  the  verification 
system.  Since  for  unbounded  formulas  P  and  R  the  system  may  prove  a  Hoare  triple 
which  is  not  true  in  some  model  of  PRA,  ^"-T^pn  i^}-?!^}  may  be  provable  but 
'/PRA  Q  ^  f^-  If  it  is  required  that  pre-  and  postconditions  be  bounded  whenever 
the  Iteration  Rule  is  utilized,  a  syntactic  version  of  the  SPC  Theorem  holds. 
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The  provability  of  the  SPC  Hoare  triple  for  a  program  segment  S  and  an  assertion 
P  is  the  major  step  in  proving  the  completeness  of  the  verification  system.  As  new 
constructs  are  added  to  the  language  most  of  the  effort  in  proving  the  completeness 
of  the  new  system  lies  in  showing  the  provability  of  this  SPC  Hoare  triple.  Several 
lemmas  are  required  to  lay  the  groundwork. 

Lemmas  1  and  2  link  general  substitutions  on  formulas  to  replacements  on  states. 
The  following  two  lemmas  link  general  substitutions  on  formulas  to  replacements  on 
state  codes. 

Lemma  24   (Substitution  and  Teplacement  on  terms.)  For  a  term  t,  an  expression  e, 
a  state  code  x  with  var[T),  var{e)  C  var{x)  and  any  variable  identifier  Xj 

(r[e/x,])  +  (x)  =  (r+)(^e^(e,x)). 

Proof:     Prove  the  lemma  by  induction  on  the  term  r.  □ 

Lemma  25  (Substitution  and  replacement  on  formulas.)  For  a  formula  P,  an  expres- 
sion e  and  a  state  code  x  with  free(P),  var(e)  C  va.r{x)  and  any  variable  identifier 

Xj 

{P[e/x,])^{.T)^P+(3et,^(e.x)). 

Proof:     This  follows  from  Lemma  24  and  induction  on  formula  P.  □ 

Corollary  26  (Equality  before  application  of  a  function.)  For  a  function  f  defined  on 
the  state  codes  of  {x\, . . . ,  Xk]  and  I  <  j  <  k 

WkVkiWi  <  k{u,  =  {f{c{Xk  Vk)))x^)  A  Vj  =  a 
->  V?:  <  k{u,  =  {f{setr^{a,c{xj,  Vk))))x^) 
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Proof:     Define  a  predicate  R  as  follows 

R  =  AtT,.Vz  <  kiu,  =  (f{c{x,  v,)))^). 

Notice  that  the  lambda  notation  allows  the  u,"s  to  be  considered  fixed  in  R.    Let 
p  =  [xk/vk]-  For  all  Uk 

".  =  i.f{c{xk  i^fc)))xi  1  <  2  <  ^-  A  Vj  -  a 

=>     R  A  Vj  =  a 

=^     R[a/vj] 

=>     Rp[a/xj] 

=^     {/?/9[a/x_,])+(x)  for  X  =  c{{xj_Xi)-  ■  ■  (xfc  a-/:)(ui  fi)  •  •  •  (vk_Vk)) 

^     {Rp)+{set^^{a,x)) 

=>     R+{{set^^{a,x))p) 

=>     R+{xp) 

=^     R'^{set^^{Vj,xp)) 

=>     R'^{setrjia,xp)) 

u,  =  {f{c{{xj_{setr^{a,xp))xj)---{x^(setr,ia,xp))xk))))x^   ioi  I  <  i  <  k 

=  (/(c((£i_  {xp)xj)  ■  •  •  (xj  a)  •  •  •  (xfc  {xp)xk))))x^  for  1  <  i  <  ^- 

=  {f{set^^{a,xp)))xj_   for  1  <  ^  <  A- 

=  (/(5e^(a,c(fj-.  Vk))))x,    for  1  <  «  <  A- 
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Corollary  "21  (Equality  after  application  of  a  function.)   For  a  function  f  defined  on 
the  state  codes  of  X  —  {xi, .  .  .  .Xk}  and  x  a  state  code  on  X 

Vj7ty(Vz  <  k,i  ^  jiu,  =  (/(a:))x,)  A  u,  -  y 
^Vi<  k{u,  =  {set,^(y,f(x)))x,)). 


Proof:     Define  a  new  function  /  on  the  state  codes  of  X  by 

{f{x))x,  = 


(/(^))£,        1    <l<k.ly^j 

y  '  =J 


Let  R  =  Xwk.yi  <  k{u,  =  ru,),  u\  =  {f{x))x,  for  I  <i  <  k  and  p  =  [xk/wk].  Notice 
that  for  z  =  c{(xj_  Xi)  •  •  •  (xfc  Xk){wi_  »'i )  •  •  •  {wk_  Wk))  and  I  <  i  <  k,i  ^  j 

{zp)x,  =  {z)w,  =  n>,  =  (/(.r))x.  =  {f{x))x^. 
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For  all  Uk-,y 


"<■  =  {f{c{Xk  Vk)))x^  1  <  ?■  <  k,  i  yi^  j  A  Uj  =  y 

^  u,  =  (/(c(x,  Vk)))xj_  l<i<kA  {f'{c{x,  Vk)))x^  =  y 

=>  u,-  =  lu,  l<i<kAwj  =  y 

=»  R  A  Wj  =  y 

=>  R[y/wj] 

=>  Rp[y/^j] 

^  (i?/j[t//xj])+(x)  for  X  =  c{{x^xi)  ■  ■  ■  {xk_Xk){wiWi)  ■  ■  ■  {wk_Wk)) 

=>  (/2/j)+(5e^(2/,a:)) 

^  /?+((^e^(y,.r))/>) 

=>  /?+(x/?) 

^  R-^(set^^(y,xp)) 

^  u,  =  (set^^(y,xp))xi)    f^^  1  <  i  <  A; 

=>  u,  =  (sei^r, (?/,/( •i-)))x,    for  1  <  7  <  /; 


D 


Lemma  28  shows  the  provability  of  the  SPC  Hoare  triple  for  this  system. 

Lemma  28  (SPC  Hoare  triple)  For  a  program  segment  S  and  an  assertion  P  where 
free{S)  C  free{P)  =  X  =  {xj, . . . ,  Xk},  Y  =  {yi, . . . ,  yk},  X  DY  =  ili  and  p  =  [yk/xk] 

^Upjii"^'  <  ^•(^.  =  y.)  A  P}S{^i  <  k(x,  =  {gspiciy^  yk)))ju)  A  Pp}. 


Proof:     Prove  the  lemma  by  induction  on  5".     Assume  i  ranges  from  1  to  k,  x 
ciik  Xk)  and  y  =  c{yj^  ijk). 


S  =  Xj  :- 


{x,  =  y,  A  P}xj  :=  e{x,  =  {gsp{y))y^  A  Pp] 

T 

a  X  Consequence  Rule 

I 
{{xi  =  {gsp{y))y^  A  Pp)[elxj]]xj  :=  e 

{{^i  =  {gsp{y))y^A  Pp) 

Assignment  Axiom 
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The  proof  of  implication  a  is  as  follows.  Let  R  =  Xxk-Xi  =  {gsp{y))yi  A  Pp. 

Xi  =  y,  A  P 

=>     {gs{x))x^  =  igsp{y))yi^  a  Pp  Lemma  21 

=>     isetr^(e,x))x^={gsp{y))y^^Pp  Bel  gs 

^      R{{set^^{e,x))xj^,. . .  ,iset^^{e,x))xk)A      ^^^    ^ 

X  C  var{setxj{e,x)) 
=»     R+(setr^ie,x))  Def.  +-ext. 

=>     (i?[e/x,]V(x)  Lemma  25 

=>     /2[e/xj])(xi,...,Xfc) 
^     (x,  =  (55^(y))y,  AP/))[e/.r,j 


5  =  5i;52 


{x.  =  y.  A  P}5i;  52{x.  =  {gsp{y))y^  A  Pp} 

T 

Consequence  Rule  t  a 

I 
{a:.-  =  y,  A  P}S,;S2{x,  =  {gs,p{gs,p{y)))y^^  Pp) 

T_ 

Composition  Rule 
{.r,  =  y.  A  P]Sx  {x.  =  {gs,p{y))y^  A  P/j}52 

{•r.  =  i9s,p{y))fu^Pp}     '     {-r,  =  {gs,p{gsrp{y)))y^/\Pp} 

Inductive  Hypothesis  Inductive  Hypothesis 


The  proof  of  implication  a  is  as  follows. 

^>  =  {gs:iP{gs,p{y)))yi_^  Pp 

=>     2,-,  =  {{gs,  o  gs,  )p{y))y^  A  Pp     Lemma  19 
=^     x,  =  {gsp{y))y^  A  P/3  Def.  gs 

S  =  loop  e;  Si  end 
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{xi  =  ?A  A  Pjloop  e;  ^i  end{x,  =  {gsp(y))y^  A  Pp} 

T 

a  I  Consequence  Rule  f  b 

Say  var{e)  =  Xm 
R  =  XxkU.Xm  =  J/m  A  X,  =  {(js,  p''[y))yi_  A  P/J 

I 

{/?[0/ii]}loop  e;5i  end{/?[e/u]} 

T 

Iteration  Rule 

{R[vlu\  A  0  <  I'  <  e}5i{i?[t'  +  l/i/]} 

T 
c  J,  Consequence  Rule  f  (/ 

Let  z  =  c{lk  ~k),=,  =  {gs,p"iy))yj^  for  1  <  z  <  ^• 

and  /  =  [zk/xk] 

{x,  =  -,  A  Pp}S,{x,  =  {gs,p'{::))z,r^(Pp)p'} 
Inductive  Hypothesis 


The  proof  of  implication  a  is  as  follows. 

X,  =  y,  A  Pp 

^      J'm  =  J/m  Ax,  =  (<75,/(y))y_^  A  P/9 

=>    R[0/u] 
The  proof  of  implication  b  is  as  follows.  Let  z  =  c((xi_  xi)  •  •  •  {xk  Xk){u  u)). 

R[e/u} 

=>     R[e/u]{xi, . . . ,  Xk,u)  ^  free(R[e/u])  C  var{z) 
^     (/?[e/K])+(.) 

:^       /?+(c((Xi_  Xi)  ■  •  •  (Xfc  XA-)(li  ifel-)))) 

=>    Xm  =ym^  X,  =  (gs,p^'^'Hy))y^  ^  Pp 
^    x,^igs,p'"'^'Hy))y,^Pp 
^    x,  =  igsp{y))y,  A  Pp 
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The  proof  of  implication  c  is  as  follows. 

R[vlu]  A  0  <  I'  <  e 

^     -Tm  =  !/m  A  x,  =  {gs,p''{y))]u  APpAO<u<e 
=>     2-,  =  r,  A  P/J 

The  proof  of  implication  d  is  as  follows. 
x,  =  {gs,p'[z))z^^[Pp)p' 

=>    x,  =  {gs,p[y))ij^f\Pp 

=>    .^-1  =  igs,p{gs,p"{y)))y^  a  Pp 

^     x,^(gs,p''^'{y))y,APp 

^      -r„>  =  J/m  A  X,  =  (^5,  /9"+^  (y))y^  A  P/9 

=>     /?[i>+l/u] 


Theorem  29  (Completeness)  For  a  Hoare  triple  {P]S{Q] 

^pra{p)S{Q]^^Hpr{P)S{Q]. 

Proof:  Assume  |=pj{j\  {P}S{Q].  Without  loss  of  generality  also  assume  free{S)  C 
iree(P)  =  X  =  {xj, . . . ,  x^.},  V  =  {yi, . . .  ,yk},X  H  Y  =  ^,  p  ^  [Hklxk]  and  y  = 
ciij.  n)-  The  proof  of  ^'}iT^^{P]S{Q]  follows. 


{P]S[Q] 

T 

a  [  Consequence  Rule  t  ^ 

I 
{V^  <  k{x,  -  ?/,)  A  P]S{ii  <  k{x,  -  (gsp{y))y^  A  Pp} 

SPC  Hoare  triple 


Implication  a  holds  since  for  P'  defined  from  P  by  P*  =  Axty^.V?  <  A^(x,  =  2/,)AP, 
'"FRA  Vxfc(P(f)t)  -^  P*(xfc,ffc)). 
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Implication  b  holds  because  V?'  <  k{xi  =  {gspiy))y,  A  Pp  implies  the  SPC  of 
program  segment  S  and  assertaion  P.  Therefore  by  part  2  of  the  SPC  Theorem 
Vi  <  kix,  =  igsp{y))yi)  A  Pp  implies  Q.  □ 


CHAPTER  3 
BLOCK  LANGUAGE 


3.1     Syntax  of  £q 

The  new  token  "begin"  appears  in  £q.  The  set  of  program  segments  is  defined 

in  Backus-Naur  form  for  variable  identifier  x  and  expression  e  as  follows: 

S      =      X  :=  e    I   i>'i;S2    |    loop  e;  ^i  end   |    B 
B      =      begin  x;  5i  end. 

For  simplicity  blocks  with  multiple  variable  declarations  are  not  allowed.  They  can 
be  considered  as  abbreviations  of  nested  blocks  with  single  variable  declarations. 
The  program  segment  begin  x;  Si  end  binds  variable  i  in  ^i.  Identifiers  which  are 
not  bound  in  a  program  segment  are  free  in  that  program  segment.  Let  the  oc- 
currence of  an  identifier  x  at  location  i  be  denoted  {i,x).  Let  the  x  immediately 
following  the  token  begin  be  at  location  j.  The  defining  occurrence  of  all  occur- 
rences of  X  in  'begin  x;  S  end',  which  are  not  also  within  another  program  segment 
'begin  x\  S\  end'  contained  in  5.  is  {jix). 

Call  a  program  distinguished  if  each  defining  occurrence  of  an  identifier  is  unique 
and  no  identifier  appears  both  free  and  bound  in  the  program.  Program  segments 
S  and  S'  are  congruent,  denoted  5  «  5',  if  they  differ  only  by  a  renaming  of  their 
bounded  identifiers. 

3.2     Semantics  of  £q 

Recall  that  state  s  is  a  total  mapping  VT  ->  V  where  V  is  the  domain  of  the 

interpretation.    Therefore  variable  x  in  begin  x;S'i  end  will  have  a  domain  value 
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associated  with  it.  This  introduces  nondeterminacy  into  the  language  in  the  case 
that  ^i  reads  x's  value  before  writing  it.  Hence,  for  simplicity,  variables  declared 
in  blocks  will  be  initialized  to  a  fixed  domain  value  before  the  body  of  the  block  is 
executed.  Call  this  value  a.  After  5i  is  executed  x's  original  value  will  be  restored. 
The  following  state  function  gives  the  meaning  of  the  variable  declaration  statement. 

5  =  begin  x;  Si  end 

fs{s)  =  blockj{x,fs,){s)  =  {f{s{I{a)/x])){I{x){s)/x} 

The  state  function  bIockj{xJ's,)  will  frequently  be  written  faiocifj(x,  5i). 

Lemma  30  (Substitution  Lemma)  For  a  program  segment  S  and  a  substitution  p 
which  is  injective  on  free{S) 

fsp{s)  =  fsp{s). 

Proof:  Prove  this  by  induction  on  a  program  segment  S.  The  case  of  a  variable 
declaration  statement  is  given. 

5  =  begin  Xj;  Si  end 

fs,{s){x)  -  WocA-j(Mx,)./5„)(s)(x) 
=  blockj{p{x,).fs,p)is){x) 
=    (fs,p{s{I{a)/p{x,)})){I{p{x,)){s)/pix,)}{x) 

J(^(x,))(s)  ifx  =  /)(x.) 

fs,p{s{I{a)/p{x,)]{x)     \rx^p{x,) 
J(x,)(sp)  ifx  =  ^(x,) 

/5,(s{I(n)/p(x.)}/.)(p-^r)     ifx^Mx.) 
=     {ysAsp{Iia)/x,})){I(x,)(sp)/x,}{p-'x) 

=       fa/ocA-j(x„/5,  )(s/9)(/9~'x) 

=     WocA-j(x,, /s,  )/9(s)(x) 
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For  S  ~  begin  x;  S\  end,  it  is  shown  that  fs  is  a  PR  function  in  the  following 

section.    It  can  be  shown  that  fs  is  stable  and  aloof,  with  respects  to  its  inactive 

variables,  as  it  was  in  Chapter  2.  Therefore,  fs  —  bIockj{x,  ^i)  is  a  program  function 

on  free{S) 

Lemma  31    (Extension  to  Lemma  8)  Let  f  be  a  program,  function  on  X. 

blockj{xJ){P)  C  g  ^  f{P[y/x]  Ax  =  a)C  Q[y/x] 
where  y  ^  XU  free{P  V  Q) 

Proof:     This  statement  will  be  proved  if  the  following  can  be  proved  for  y  ^  X  U 

free{PyQ). 

Vs(s  G  Stj(P)  -.  f{s{J{a)/x}){I(x)(s)/x}  G  Stj{Q)) 

Vs{s  e  Stj{P[y/x]  A  X  =  a)  -  f{s)  e  Stj{Q[y/x])). 
(=»)  Assume  ys{s  G  StjiP)  -^  f(s{I{a)/x}){I{x){s)/x}  G  Stj{Q)). 

s  G  Stj{P[y/x]  Ax  =  a) 

=>  seStj{P[y/x]) 

=>  s{I{y){s)/x}  eStj(P)  Corollary  3 

^  (f(s{I{y){s)/x]{I{a)/x})){I(x){s 

{I{y){s)/x})/x}  G  StjiQ)  Assumption 

=>  (/(s{J(a)/x})){J(y)(s)/:r}  G  StjiQ) 

=>  {f{s)){I(y){s)/x}eStj{Q)  seStj(x  =  a) 

=>  {f{s)){I{y){f{s))/x}eStj{Q)  /is  stable 

^  /(s)  G  Stj(Q[y/x])  Corollary  3 

(<=)  Assume  ys{s  G  Stj{P[y/x]  A  x  =  a)  ^  f{s)  G  StjiQly/x])). 

s  e  Stj{P) 

=>  s{I{x){s)/y}  G  Stj(P[y/x])  Corollary  4 

=>  s{J(x)(s)/y,  J(a)/.r}  G  Stj{P[y/x]  A  x  =  a) 

=>  f{s{I{x){s)/y,I(a)/x})eStj{Q[y/x])  Assumption 

=»  'f{s{I{a)/x}){I{x){s)/y}  G  Stj{Q[y/x])  f  stable  k  aloof 

=>  i{f{s{I{a)/x}){I{x){s)/y}){I{y){{f{s{I{a)/x})) 

{I{x){s)/y})/x}  G  StjiQ)  Corollary  4 

=»  {f{s{I{a)/x])){I(x){s)/x}e  StjiQ) 
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3.3     £p  Computes  the  Class  of  PR  Functions 

Two  new  PR  functions  are  needed  before  extending  gs  for  variable  declarations. 
Define  add^,,  which  takes  a  state  code  on  A'  and  returns  a  state  code  on  X  U  {x,}, 
and  dropx^,  which  takes  a  state  code  on  X  U  {x,}  and  returns  a  state  code  on  X,  as 
follows. 

For  X  a  state  code  on  X  =  {xi, . . .  ,Xk}  and  var(e)  C  X 

addr,{c,x)  =  c{{xj_  (.r)xi^)  ■  •  ■  {xk_{x)xk){^9eix))). 

For  X  a  state  code  on  X  =  {xi, . . . , x;} 

,         (\     _     f  c((xi_(x)£^)---(x^_i_(x)^^^)(x^+i_(x)^^^)---(x^(x)xfc))     ifx.eX 
drop,,[x)     -     I  c((^(,,.)^)...(^(^.)^))  ifx.^X 

The  PR  functions  defined  in  this  dissertation  are  for  distinguished  programs. 
A  PR  function  could  be  written  to  take  an  £q  program  as  input  and  output  a 
distinguished  version  of  that  program.  Throughout  the  remainder  of  this  dissertation 
it  will  be  assumed  that  such  a  translation  has  already  occurred. 

Extend  the  function  gs  with  a  clause  for  variable  declarations.  For  program 
segment  S  in  an  Cp^l  program  define  gs  :  P  — +  D  as  in  section  2.3  with  the  additional 
clause: 

5  =  begin  x,;  Si  end 

gs(x)  =  drop^,(gs,{addr,(a,x))) 

Lemma  32  (Extension  to  Lemma  10)  Function  gs  is  PR  and  for  free{S)  =  X 

gsicis\X))  =  c(fs{s)\X). 

Proof:  Function  ^5  is  PR  since  add^  and  drop^:  are  PR  functions.  Prove  the  equality 
by  induction  on  program  segment  S.  The  cases  for  S  =  x,  :=  e,  5  =  Si;  S2  and 
5"  =  loop  e:  ^i  end  are  proved  as  they  were  in  Chapter  2. 
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5  =  begin  x,;  Si  end      Since  S  occurs  in  a  distinguished  program  x,  will  not  already 

be  in  X. 

gs{c{s\X))     =  drop^,{gsA(^ddr,ia,c(s\X)))) 

=  drop,,{gsAc{s{Iia)/x,}\XU{x,}))) 

=  ^rop..(c(/5.(s{I(a)/x.})[XU{a:.}))     Ind.  Hyp. 

=  c(/5,(s{J(a)/a;.})rX) 

=  cifsAs{I{a)/x,}){I{x,){s)/x,}\X)       x.^X 

=  c{fsis)\X) 


Theorem  33  The  class  of  functions  computed  by  Cq  programs  is  the  class  of  PR 
functions. 


Proof:     The  proof  is  the  same  as  that  given  for  this  theorem  in  Chapter  2  except  that 
the  new  meaning  function  for  gs  is  used.  □ 

3.4     Verification  of  £g  Programs 

The  verification  system  Hpj^  is  extended  to  Hg  by  adding  the  following  Program 
and  Variable  Declaration  Rule. 

Program  Rule 

{P]SAQ] 
{P}HQ} 

{or  IT  =  (S,z),S  ^  Sd  and  5^  distinguished. 

Variable  Declaration  Rule 

{P[y/x]Ax  =  a}S{Q[y/x]} 
{P}begin  x:S  eiid{Q} 
for  y  ^  free(P  V  Q)  U  free(S). 
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3.5     Soundness  of  Hg 
Theorem  34   (Soundness)  For  a  Hoare  triple  {P}S{Q} 

Proof:  Prove  this  by  induction  on  the  proof  system  "Wg.  The  soundness  of  the  rules 
presented  in  Chapter  2  is  proven  as  it  was  in  that  chapter.  Let  1  be  an  interpretation 
of  PA. 

Variable  Declaration  Rule: 

Assume  h-^    {P}begin  x:S  end{Q}.    In  that  proof  \- j^    {P[y j x\  Ax  —  a}S 
{Q[y/x]}  for  y  ^  free{P  V  Q)Ufree(S).  By  the  inductive  hypothesis  |=j{F[y/a:]A 
X  —  a]S{Q[ylx]]  or  fs{P[ylx]  A  .r  =  a)  C  Qly/x].  Therefore  by  Lemma  31 
hlockj[x,fs)[P)QQ. 

a 

Corollary  35  For  a  Hoare  triple  {P]'J^{Q] 

^nB{P)''{Q)^^PA{P)''{Q)- 

Proof:  Let  J  be  an  interpretation  of  PA,  tt  =  {S,z)  and  S  ~  Sj  where  5^  is  distin- 
guished. Assume  '"'Hq  {^}^{<?}-  Then  in  that  proof,  ^-)-i-r,{P}Sd{Q}  and  by  the 
Soundness  Theorem  \=jfs^{P)  ^  Q-  By  the  Substitution  Lemma  this  is  equivalent 
to^jfs{P)CQov^j{P}^{Q].  a 

3.6     Completeness  of  Hq 

Once  the  provability  of  the  SPC  Hoare  triple  is  established  the  completeness 

property  of  Ti^  is  proven  as  it  was  in  Chapter  2.  The  following  results  are  needed  to 

show  the  provability  of  the  SPC  Hoare  triple. 

Lemma  36  For  expression  e  with  var(e)  C  {j-i, . . . ,  x^} 

add^^^^{e,c(lk  ^^0)  =^  setr,_^,[e,c(xj,^i  ^k+i))- 
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Proof:     The  proof  is  a  straightforward  application  of  the  definitions.  □ 
Lemma  37  For  a  function  f  defined  on  the  state  codes  of  {xi, . . .  ,Xfc} 

Vufc+rufc+ilVz  <k+  l(u,  ^  (/(c(fjt+i  iVi)))xi)  A  Vk+i  =  a 
-^\/i<  k+  l{u,  =  {f{addr,^^{a,c{xj,  Vk))))x^)) 

Proof:     This  results  from  Corollary  26  and  Lemma  36.  □ 

Lemma  38  (SPC  Hoare  triple)  For  a  program  segment  S  and  an  assertion  P  where 
free(5)  C  free{P)  -  X  =  {xi, . . . ,  x^},  Y  =  {yi, . . . ,  yk},  X  nY  =  i^  andp  =  [yk/xk] 

H^^{Vz  <  A:(x,  =  J/,)  A  P}S{Vi  <  k{x,  =  {gsp{c{y,  yfc)))y,)  A  Pp}. 

Proof:     Prove  the  lemma  by  induction  on  S.     The  proof  for  all  cases  except  the 
Variable  Declaration  Rule  will  be  the  same  as  in  Chapter  2.  Let  y  -  c{y_^_  yk). 

S  =  begin  Xj;  Si  end 

Assume  free(begin  x^;  52  end)  C  free(P)  -  X.  Since  S  occurs  in  a  distin- 
guished program,  x_,  will  not  already  be  in  X.  Without  loss  of  generality  let 
S  =  begin  xt+i;5i  end. 


{ii  <  A:(.T,  =  ?/,)  A  Pjbegin  Xk+uSi  end 
{yi<Hx,  =  (gsp{y))y^APp} 

T 
Consequence  Rule  t  ^ 

Let  yk+i  be  a  fresh  variable,  y'  =  c(y^+i  yt+i), 
p'  =  [yk+i/xk+\]  and  gs^  be  extended  to  operate 
on  the  state  code  y'  so  that  it  leaves  y^+i 
unchanged. 

I 
{Vz  <k  +  l(.r,  =  y,)  A  Pjbegin  Xk+i;Si  end 

{Vi  <k+  l(.r.  =  (<75,p'(!/'))y,)  A  (P  A  Xk+x  =  a)p'} 

T 

Variable  Declaration  Rule 

I 

{V?:  <  A-  +  l(.r,  =  ?y,)  A  P  A  x^+i  =  a}Si 

{Vz  <k+  i{x,  =  {gs:p'{y')h)  A  (P  A  x,+i  =  a)p'} 

Inductive  Hypothesis 
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The  proof  of  implication  a  is  as  follows. 

V?:  <k+  l(x.  =  igs,piy'))y^)  A  (P  A  x,+i  =  a)p' 

=>  V?:  <k  +  l(a:.  =  {gs,p'{y'))y^)  APpA  yk+i  =  a 

=>  V?  <k  +  l(x.  =  (55,  (yV  ))x. )  APpA  Vk+i  -  a 

^  Vi  <  A-  +  l(x,  =  (55,(a(f4^^,(a,yp)))x^)  A  Pp 

=>  Vi  <  k{x,  =  [dropr^^^  {gs,  {add^^^^  (a,  yp))))x^)  A  Pp 

=>  ^><Hx,  =  {gs(yp))x^)APp 

^  y'<k{x,  =  igsp{y))y,)APp. 


CHAPTER  4 
PARAMETERLESS  PROCEDURES 


4.1     Recursion  in  a  PR  Programming  Language 

A  minimal  programming  language  which  computes  the  class  of  PR  functions  has 
been  presented.  A  more  useful  language  which  computes  this  class  of  functions  is  de- 
veloped next.  In  order  to  do  this,  constructs  similar  to  those  of  universal  programming 
languages  will  be  added.  The  concern  here  is  not  to  construct  an  actual  programming 
language  but  to  form  the  theoretical  basis  for  such  a  language.  Constructs  such  as 
conditionals,  case  statements,  bounded  while  loops  and  non-recursive  procedures  can 
be  straightforwardly  added  to  the  language.  The  unbounded  while  loop,  unbounded 
recursion  and  the  goto  construct  can  not  be  added.  Primitive  recursion  is  one  of  the 
constructs  between  these  extremes. 

How  should  primitive  recursion  be  formulated  as  a  programming  construct?  Hope- 
fully there  is  a  general  method  so  recursion  in  the  language  does  not  need  to  be  in 
the  exact  form  of  primitive  recursion.  Consider  functions  with  a  single  output.  One 
way  to  restrict  recursive  procedure  calls  is  to  associate  a  maximum  value  with  the 
recursive  procedure.  If  the  value  computed  by  the  procedure  exceeds  this  value  sub- 
sequent recursive  calls  to  this  procedure  are  ignored.  Peter  [32]  refers  to  the  function 
computed  by  such  a  procedure  as  bounded  recursion  and  shows  that  this  does  not 
lead  out  of  the  class  of  elementary  functions,  a  subset  of  the  class  of  PR  functions. 
This  approach  was  not  adopted  in  this  research. 
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Alternatively,  a  bound  can  be  associated  with  each  recursive  procedure  which 
gives  the  maximum  nesting  depth  of  that  procedure.  This  bound  would  restrict  the 
number  of  copies  of  the  procedure  which  can  be  active  at  one  time.  Once  this  depth 
has  been  reached  subsequent  calls  to  the  procedure  would  be  ignored.  Figure  4.1  il- 
lustrates bounded  recursion.  The  programmer  should  be  able  to  write  an  expression 
for  such  a  bound.  When  writing  a  recursive  procedure  the  programmer  should  men- 
tally justify  that  the  procedure  will  terminate  by  verifying  that  on  each  recursive  call 
the  problem  is  broken  into  a  finite  number  of  smaller  problems.  The  expression  for 
the  maximum  procedure  nesting  depth  can  be  determined  from  this  reduction.  This 
is  the  approach  utilized  in  this  research.  Throughout  the  remainder  of  this  paper 
bounded  recursion  will  refer  to  recursion  bounded  by  a  maximum  nesting  depth. 

Unfortunately,  placing  a  bound  on  the  nesting  depth  of  a  procedure  does  not 
guarantee  that  the  programs  will  compute  only  the  class  of  PR  functions.  Acker- 
mann's  function  is  a  total  function  which  is  not  PR.  Ackermann's  function  can  be 
defined  as  follows. 

Acker{k,n,m)  =  Ek{n,m)  where 

£'o(n,m)  —  m" 

Et(0,m)  =  l  for  A;  >  0 

Ek{n,m)  =  Ek-i{Ek{n  —  l,m),m)     for  A:  >  0  and  n  >  0 

It  can  be  shown  that  Ackermann's  function  is  not  PR  because  it  grows  faster 
than  any  PR  function  [13].  Ackermann's  function  is  built  in  stages.  It  is  built 
at  one  stage  by  iterating  on  the  function  at  the  previous  stage.  The  definition  of 
Ackermann's  function  given  above  starts  with  exponentiation  to  avoid  special  initial 
cases.  Figure  4.2  shows  how  quickly  Ackermann's  function  grows  on  k. 
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bound 

procedure  fib(n)   n 
if  n=0  then  z:=l 
elseif  n=l  then  z:=l 
else  z:=fib(n-l)+fib(n-2) 

end 


if  n=0  then  z:=l 
elseif  n=l  then  z:=l 
else  z:= 

Hb 

if  n=0  then  z:=l 
elseif  n=l  then  z:=l 
else  z:= 

fib* 

hb 

lib 

if  n=0  then  z 
elseif  n=l  th 
else  z:= 

:  =  1 

en  z:=l 

iih 

fib 

When  fib*  is  executed  the  recursive  procedure  fib  is  nested  3  levels  deep.    This  is 
possible  if  n  >  3. 


Figure  4.1.  Bounded  recursion 
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Acker{0,n,m)  =  tti'^ 


Acker{\,n,m)  =  m' 


Acker('2,  n,  m)  = 


m 
m' 


in' 


777. 


>  n 


Figure  4.2.  Ackermann's  function  Acker{k^n,m)  grows  quickly  on  k 

If  the  following  procedure  is  executed  when  z=l,  it  terminates  with  the  value  of 
Acker{k,n,m)  in  variable  z. 

proc  exp(n,m)   n 

*  £b   program  to   set 

*  z  to  m" 
end 

proc   acker(k,n,ra)   k 

if  k=0  then  exp(n,m) 
else 

loop  n 

acker(k-l ,z,m) 
end 
end 
end 

The  construct  which  leads  out  of  the  class  of  PR  functions  is  the  recursive  call 
within  the  body  of  a  loop.  It  is  this  construct  which  allows  Ackermann's  function  to 
be  built  at  one  stage  by  iterating  on  Ackermann's  function  at  the  previous  stage. 
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It  can  be  argued  that  a  recursive  call  within  the  body  of  a  loop  is  not  a  structured 
construct.  Structuredness  has  been  defined  as  the  ability  to  understand  the  meaning 
of  the  whole  from  the  meaning  of  the  parts  and  a  few  combining  rules.  For  example,  a 
loop  language  would  be  considered  structured  if  the  meaning  of  the  program  segment 
'loop  n  S  end'  is  completely  determined  by  the  meaning  of  S  and  the  knowledge 
that  the  'loop  n'  construct  means  to  repeat  the  body  of  the  loop  n  times.  In  the 
above  construct  the  meaning  of  the  body  of  the  recursive  procedure  requires  knowing 
the  meaning  of  the  loop  body.  Yet  knowing  the  meaning  of  the  loop  body  requires 
knowing  the  meaning  of  the  procedure  body.  Thus  the  meaning  of  the  procedure 
body  and  the  loop  body  are  being  defined  simultaneously. 

Notice  the  relation  between  a  program  segment  and  the  function  it  computes.  A 
program  segment  Si;  S2  translates  into  the  nested  function  gs^  {gsi  (^))-  Similarly  the 
function  computed  by  the  following  program  segment  is  a  nested  recursive  function. 

S=       proc  p(x)   n 
p{x) 
p{x) 
end 

p{x) 

If  p  is  defined  by  primitive  recursion  as 

p(0,i')  =  X 

p(i  +  l,x)  =  p(i,p{i,x)) 

then  gs{x)  =  p{n,x).  Peter  refers  to  such  nested  functions  as  simple  nested  recursive 
functions  and  shows  that  this  type  of  nesting  does  not  lead  out  of  the  class  of  PR 
functions.  Frequently,  however,  nested  recursion  does  lead  out  of  the  class  of  PR 
functions. 

Consider  the  program  segment 
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loop  n 

5 
end 

which  translates  into  the  function  loop{n,  x)  defined  by 

/oop(0,x)  =  X 

loop{i  +  l,x)  =  gs{loop(i,x)). 

This  does  not  lead  out  of  the  class  of  PR  functions  as  long  as  the  function  gs  is  known. 
However,  if  the  loop  body  S  contains  a  recursive  call  to  the  procedure  containing  the 
loop,  the  function  gs  will  not  be  known.  In  this  case  the  function  loop  is  an  example 
of  recursion  of  the  first  degree.  That  is.  it  is  a  function  which  depends  on  a  function. 

It  can  be  written 

loop{0,x,gs)  =  X 

loop{t  +  l,x,gs)  =  gs{ioop{i,x,gs)). 

Peter  shows  that  such  functions  can  be  reduced  to  doubly  nested  recursive  functions 
and  therefore  lead  out  of  the  class  of  PR  functions. 

It  has  been  established  by  the  Ackermann  example  that  procedures  of  the  follow- 
ing form  must  be  disallowed  in  a  PR  programming  language. 

proc  p(x)   m 

loop  n 
p(x) 

end 
end 

It  is  possible  to  simulate  this  procedure  without  using  the  loop  construct.  The  fol- 
lowing procedure  is  equivalent  to  the  above. 

proc  p(x)   m 
proc  q(x)   n 
q{x) 
p{x) 
end 
q{x) 
end 
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The  loop  is  simulated  by  recursive  procedure  q.  The  offensive  call  is  no  longer  a  call 
to  the  procedure  itself.  In  this  program  the  offensive  call  is  a  call  within  procedure 
q  to  procedure  p,  the  parent  of  q.  Thus  calls  to  the  parent  of  the  current  procedure 
must  be  restricted  in  a  PR  language.  Since  calls  to  parents  are  restricted,  calls  to 
all  direct  ancestors  must  also  be  restricted  since  a  call  to  a  parent  could  easily  be 
simulated  in  a  language  which  allowed  calls  to  a  direct  ancestor. 

If  procedure  q  in  the  previous  example  was  moved  outside  of  procedure  p  the 
resulting  program  would  still  be  equivalent  to  a  procedure  containing  a  recursive  call 
within  a  loop. 

proc  p(x)   m 

q{x) 
end 
proc  q(x)   n 

q{x) 

p{x) 
end 

The  recursive  call  within  a  loop  is  simulated  by  procedure  p  calling  procedure  q  and 
procedure  q  calling  procedure  p.  Thus  call  sequences  where  siblings  mutually  call 
each  other,  directly  or  indirectly,  must  be  restricted. 

A  recursive  call  is  a  call  to  a  procedure  which  is  active  at  the  time  the  call  is  made. 
Refer  to  a  recursive  call  as  direct  if  it  is  a  call  to  the  current  procedure.  All  other 
recursive  calls  will  be  referred  to  as  indirect.  The  previous  two  examples  contain  both 
direct  and  indirect  recursive  calls. 

4.2     Syntax  of  Cq 

In  addition  to  the  other  tokens  of  £g,  an  infinite  set  of  ordered  procedure  iden- 
tifiers which  is  disjoint  from  the  set  of  variable  identifiers,  and  the  new  token  "proc" 


56 


are  part  of  the  language  Cq.  Environments  are  also  introduced  in  this  new  language. 

An  environment  is  a  sequence  of  procedure  declarations.  Procedure  declarations  are 

of  the  form  proc  p  e;  S  end  for  procedure  identifier  p  and  program  segment  S.  Here  e 

is  an  expression  for  the  maximum  nesting  depth  of  the  procedure.  This  expression  is 

referred  to  as  the  procedure's  bound.  For  a  variable  identifier  x,  a  procedure  identifier 

p  and  an  expression  e  the  set  of  program  segments  of  Cq  is  defined  in  Backus-Naur 

form  as  follows: 

S      =      X  :=  e   \   Si;S2    \    loop  e;  5i  end   \    B   \  p 
B      =      begin  x\  S  end   |   begin  E\  S  end 
E      =      e    \    proc  p  e;  5  end   |    E\E2 

Recall  that  the  program  segment  'begin  x\  S  end'  binds  variable  x  in  S.  Similarly 
the  program  segment 

T      =       begin  proc  p  e;  S\  end  E\  S2  end 

binds  procedure  identifier  p  in  T.  Let  the  p  immediately  following  the  token  proc 
be  at  location  j.  The  defining  occurrence  of  all  occurrences  of  p  in  T,  which  are  not 
also  within  another  program  segment  "begin  proc  p  e';  S[  end  E'\  S'2  end'  contained 
in  E  or  ^2,  is  [jip).  Now  both  variable  and  procedure  identifiers  must  be  renamed 
to  distinguish  a  program. 

It  was  shown  that  program  segments  of  the  language  Cp^l  ^^i^  ^B  ^^^  ^^  trans- 
lated into  PR  functions.  The  situtation  is  more  complex  for  program  segments  in 
Cq.  These  program  segments  may  contain  calls  to  procedures  defined  outside  of  S 
and  they  may  be  contained  within  a  recursive  routine.  Define  a  program  unit  E  \  S  as 
an  'environment 7 'program  segment'  pair  where  all  procedure  identifiers  are  bound 
in  'begin  E\  S  end'.  Define  a  recursive  program  unit.,  or  recursive  unit  as  an  'envi- 
ronment'/'procedure  identifier'/'program  segment'  triple  where  £"  |  5  is  a  program 
unit  and  calls  in  5  to  p  would  be  recursive. 
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Let  min{E  \  S)  denote  E'  \  S  where  E'  is  the  minimum  environment  such  that 
-£'  I  S"  is  a  program  unit.  Given  a  program  unit  E  \  S  where  min{E  \  S)  =  E'  \  S, 
E'  is  the  set  of  procedures  and  id{{E  |  S)  the  set  of  identifiers  visible  from  S.  Make 
similar  definitions  for  a  recursive  unit  E  \^  S.  Olderog  [29]  has  additional  details. 

A  call  di-graph,  or  call  directed  graph,  for  procedure  call  £■  |  p  in  a  distinguished 
program  is  constructed  as  follows.  Let  £*  |  p  be  the  root  node.  For  each  node  E  \  p 
in  the  graph,  where  proc  p  e;  5  end  €  E,  consider  E  \  S. 

For  E  \S  =  E'  \S'  do  the  following. 

E'  \S'  =  E'  \  X,  :=  e     Do  nothing. 

E'  \S'  =  E'  \  5i;  52     Consider  E'  \  Si  and  E'  \  S2  separately. 

E'  \S'  =  E'  \  loop  e;  Si  end     Consider  E'  \  Si. 

E'  \S'  =  E'  \  begin  x,;  ^i  end     Consider  E'  \  Si. 

E'  \S'  =  E'  \  begin  Ei;Si  end     Consider  Add(EuE')  |  5i. 

E'  \  S'  =  E'  \  q  Three  cases  are  possible.  Either  p  =  q,  there  is  a  node  E"  \  q 
which  is  a  direct  ancestor  of  E  |  p,  or  there  is  no  node  with  procedure  identifier 
q  which  is  a  direct  ancestor  of  E  \  p.  In  the  first  case  the  call  £"'  |  ^  is  a 
direct  recursive  call.  Draw  a  directed  edge  from  node  E  \  p  io  itselL  Note  that 
min{E'  \  q)  =  min{E  \  p).  In  the  second  case  £■'  |  ^  is  an  indirect  recursive  call. 
Draw  a  directed  edge  from  node  £■  |  p  to  node  E"  \  q.  Note  that  min{E'  \  q)  = 
min{E"  \  q).  In  the  last  case  E'  \  q  \s  a.  non-recursive  call.  Create  a  new  node 
E'  I  q,  draw  a  directed  edge  from  node  £"  |  p  to  node  E'  \  q  and  repeat  the 
process  for  this  new  node. 

Figure  4.3  gives  an  example  of  a  procedure  call  and  its  call  di-graph.  For  simplicity 
the  environments  have  not  been  shown.  Notice  that  each  cycle  is  entered  via  a  single 
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S  = 


proc  p 
9 

Q 

r 

end 
proc  q 

q 

end 
proc  r 
s 

end 
proc  s 

<i 
r 

end 
P 


Figure  4.3.  Example  of  a  procedure  call  and  its  call  di-graph 

node  referred  to  as  the  start  node  of  the  cycle.  Call  all  other  nodes  on  the  cycle  inner 
nodes.  Say  a  cycle  is  complex  if  one  of  its  inner  nodes  is  the  start  node  of  another 
cycle.  Otherwise  the  cycle  is  simple.  All  cycles  in  the  call  di-graph  of  figure  4.3  are 
simple. 

Let  C  be  the  language  £g  without  the  loop  construct  and  where  bounded  recursive 
calls  are  allowed.  Then  the  call  di-graph  for  a  program  in  C  could  contain  a  complex 
cycle.  Figure  4.4  shows  such  a  procedure  call  and  its  call  di-graph.  Recall  that  a 
procedure  with  the  call  structure  given  in  figure  4.4  may  compute  a  function  which 
is  not  PR.  Thus  the  PR  language  must  be  restricted  so  that  the  call  di-graph  for  any 
program  in  the  language  contains  only  simple  cycles. 

.\  simple  cycle  which  is  entered  via  the  call  E  \  p  will  be  called  E  \  p's  cycle 
or  simply  p"s  cycle  if  no  ambiguity  will  result.    If  each  cycle  on  the  call  di-graph  is 
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S  = 


proc  p 

end 
proc  q 

q 

P 

end 

P 


® 


Figure  4.4.  Procedure  call  and  di-graph  with  complex  cycles 

collapsed  into  a  single  node  the  call  di-graph  becomes  a  tree.  The  height  of  a  call 
di-graph  is  the  number  of  edges  in  the  longest  path  of  this  tree,  counted  by  passing 
through  each  node  only  once. 

Given  the  program  segment  loop  e;  S  end,  in  the  previous  chapters  var(e)  fl 
free{S)  —  0.  In  this  chapter  we  assume  var(e)  fl  free(min{E  \  S))  =  0  for  program 
unit 

E  I  loop  e;  5*  end 

and  for  program  unit 

E  I  begin  proc  q  e;  S  end:  T  end. 

A  program  in  Cn  is  a  block  with  no  free  procedure  identifiers  where  the  call  di- 
graph of  each  call  contains  only  simple  cycles,  and  calls  to  the  next  node  on  a  cycle 
do  not  occur  within  the  body  of  a  loop.  Assignment,  composition,  iteration,  variable 
declaration  and  procedure  declaration  are  referred  to  as  non-call  constructs. 

4.3     Semantics  of  Cq 

In  £d  the  work  variables  can  be  declared  using  the  construct  begin  x;  S  end. 
Recall  that  the  meaning  of  this  program  segment  is  independent  of  the  variable 
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identifier  x.  That  is,  begin  x;  S  end  and  begin  y;S[y/x]  end.  where  S[y/x]  is  the 
result  of  replacing  every  free  occurrence  of  z  in  5  by  y,  have  the  same  meaning 
provided  y  ^  var{S).  Care  must  be  taken  when  adding  procedures  to  this  language 
so  that  this  independence  is  maintained. 

Consider  the  following  program  block.  For  simplicity  the  bounds  associated  with 
the  procedures  will  be  ignored. 

begin  x 
proc  p 

:  :=  X 
end 
proc  q 

begin  x 
X  :=  2 

P 
end 
end 
X  :=  1 

9 

end 

If  this  program  is  executed  using  dynamic  scope  of  variables,  z  will  be  2  upon  com- 
pletion of  this  program.  However,  if  the  variable  identifier  declared  in  procedure  q  is 
changed  to  y  so  that  procedure  q  is  defined  as  in  the  following  program,  z  will  be  1 
after  executing  the  block. 

proc  q 

begin  y 


y:=2 


P 
end 
end 


Thus  the  meaning  of  the  block  is  dependent  on  the  variable  identifier  used  to  declare 
a  temporary  work  variable  in  procedure  q.  Static  scope  of  variables  guarantees  that 
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the  meaning  of  S  will  be  independent  of  the  variable  identifier  chosen.  The  new 
language  Cq  will  use  static  scope  of  identifiers. 

Identifiers,  both  variable  and  procedure,  will  be  renamed  to  maintain  static  scope. 
Given  a  program,  Hoare  triples  will  be  proved  for  a  distinguished  copy  of  that  pro- 
gram. Since  there  are  an  infinite  number  of  distinguished  programs  which  are  con- 
gruent to  a  given  program,  the  identifiers  chosen  to  distinguish  a  program  will  be 
such  that  the  next  available  identifier  is  chosen  whenever  a  new  identifier  is  needed. 
Whenever  a  recursive  call  is  made  the  bound  identifiers  in  the  body  of  the  recur- 
sive procedure  will  be  renamed.  Renaming  procedure  identifiers  has  no  effect  in  £q. 
The  groundwork  is  being  laid  for  when  passing  procedures  as  parameters  are  allowed 
and  renaming  procedure  identifiers  is  necessary  to  maintain  static  scope  of  procedure 
identifiers. 

Let  C-i  denote  the  function  which  performs  the  renaming  necessary  to  maintain 
static  scope.  The  function  Ci  takes  a  program  segment  S  and  a  finite  set  of  identi- 
fiers I  and  returns  a  program  segment  S'  such  that  5  and  S'  are  congruent  and  no 
identifier  bound  in  .S"  occurs  in  I.  The  function  Jj  is  the  copy  rule  Ceo  introduced  by 
Olderog  [29].  It  performs  a  non-deterministic  renaming  of  identifiers.  To  make  this 
deterministic  let  C]  choose  the  next  available  identifier  whenever  a  new  identifier  is 
needed.  The  set  I  of  identifiers  in  Cj  contains  those  identifiers  which  are  visible  when 
the  call  is  made.  Thus  frequently  Cj  will  be  written  without  the  subscript  I  as  C. 

The  meaning  of  a  recursive  unit  E  {''  S  depends  upon  the  current  level  of  nesting 
of  that  procedure.  Therefore  semantics  must  be  given  relative  to  bounded  recursive 
units.  The  bounded  recursive  unit  E  \l  S  denotes  a  recursive  unit  E  \^  S  where  S 
is  a  program  segment  on  p's  cycle  and  active  copies  of  this  cycle  may  be  nested  b 
additional  times.  If  6  =  0  calls  to  p  will  be  ignored. 
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The  semantics  for  Cq  are  defined  by  a  mapping  E  which,  given  an  interpretation 

T 
X.  assigns  a  state  function  S    (tt)  to  every  program  of  Cq  as  follows. 

H    (;r)  =  S    (0  I  Sd)  where  tt  =  (5,  c),  Sd  ^  S  and  Sd  is  distinguished. 


^■^{E 


^^{E 

^^{E 

E^{E 

E^{E 

^^{E 

I    Ti    {E  \T)  if  £^  I  p  is  not  a  start  node 

1    E-^(E  \  p  J(e)(s))     if  £■  I  p  is  a  start  node 
for  proc  p  e;T  end  G  E 


Y^-iE 


E^{E 


^^{E 


^^(E 


vJ 


{E 


^^{E 


^^{E 


X,  :=  e)  =  assignj{x,,e) 

SuS2)  =  compj{Z^{E  I  5,),S^(^  I  S2)) 

-T 

loop  e;  5i  end)  =  loopj{e,^    (E  \  S\)) 

begin  x,]Si  end)  =  hlockj{x,,I:-^ (E  |  Si)) 

begin  Eu  S^  end)  =  S^(F  |  Si)  where  E'  =  Add{EuE) 

P)  = 


ph) 


id 


if  6  =  0 


T.^{E\UC{T))    if6>0 


r,  :=  e)  =  assign j( a-,,  e) 
^  5i;52)  =  compji^^iE  \l  5,),S^(^  |^  5^)) 
^  loop  e;  ^i  end)  =  loopj{e,  I.^{E  \  Si)) 
I  begin  X,;  Si  end)  =  WocA-j(x„  ^^^(E  1^  Si)) 

I  begin  £:i;5i  end)  =  S^(F  |^  5i)  where  E'  =  Add{EuE) 

il?^{E\pb)  ■dq=p 

lq)  =  <    ^^iE\lC{T))    if  g  is  on  p's  cycle,  <7  ^  p 

[   2(5  \  q)  d  q  is  not  on  p's  cycle 

for  proc  q  e;T  end  G  E' 
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Notice  that  for  mm{E  \  p  b)  =  min{E'  \  p  b),  ^^{E  |  p  6)(s)  =  S^(£'  |  p  b){s).  Also 
notice  that  the  above  semantics  are  operational.  The  meaning  of  a  recursive  procedure 
call  is  given  in  terms  of  the  copy  rule  applied  to  the  body  of  that  procedure.  When 
the  translation  is  given  from  an  Cq  program  to  the  PR  function  which  denotes  that 
program,  denotational  semantics  are  given.  Thus,  the  PR  functions  corresponding  to 
program  units  in  Cq  must  not  utilize  copy  rules. 

Proving  a  property  about  an  Cq  program  can  no  longer  be  done  as  a  simple 
induction  on  program  segment  5.  Following  is  an  example  proof  showing  how  an 
arbitrary  property  R  is  proven  for  a  program  unit  E  \  S.  That  is,  it  will  be  proven 
that  for  a  program  unit  £"15,      R{E  \  S)  holds. 

The  proof  involves  a  number  of  inductions  on  a  program  unit  E  \  S.  These 
inductions  occur  within  two  contexts;  induction  on  a  distinguished  program  unit 
E  I  ^',  and  induction  on  a  distinguished  bounded  program  unit  E  \l  S.  First  prove 
that  property  R  holds,  in  either  context,  for  5  a  non-call  construct.  That  is,  first 
prove  R{E  \  S)  and  R{E  \l  S)  for  5  a  non-call  construct. 

Once  the  above  has  been  proven  it  is  know  that  R{E  \  S)  holds  for  the  non-call 
constructs.  All  that  is  left  to  show  is  R(E  \  p).  Prove  this  by  induction  on  the  height 
h  of  the  E  I  p  di-graph.  Let  proc  p  e\T  end  G  E. 

Say  h  =  Q  and  the  call  E  \p\s  not  the  start  node  of  a  cycle.  Show  that,  for  £■  |  T 
a  distinguished  program  unit,  R{E  |  p)  follows  from  R{E  \  T).  Once  this  has  been 
shown,  all  that  is  left  to  show  is  that  R{E  \  T)  holds.  It  will  have  been  shown  that 
the  property  R{E  \  T)  holds  for  the  non-call  constructs.  Since  h  =  Q  there  are  no 
calls  in  procedure  body  T. 
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Say  h  —  0  and  the  call  £■  |  p  is  the  start  node  of  one  or  more  cycles.  Show  that 
R{E  I  p)  follows  from  R{E  \  p  b).  Once  this  has  been  shown,  all  that  is  left  to  show 
is  that  R(E  \p  b)  holds. 

Prove  R{E  |  p  6)  by  induction  on  bound  6.  Show  R{E  \  p  0)  holds.  Assume 
R{E  I  p  6  —  1 )  holds  for  any  program  unit  E  \  p.  Show  that,  (or  E  \  T  a.  distinguished 
program  unit,  R{E  \  p  b)  follows  from  R{E  |^_j  T). 

It  will  have  been  shown  that,  for  any  b.  R{E  \l  T)  holds  for  the  non-call  constructs. 
Since  /i  =  0,  calls  in  procedure  body  T  can  only  be  to  the  first  node  on  a  cycle. 
Consider  the  cycles  on  node  E  \  p.  Label  the  calls  participating  in  these  cycles 
according  to  how  many  calls  there  are  between  the  edge  representing  this  call  and 
the  edge  entering  node  E  \  p.  That  is,  the  ?7th  call  directly  to  procedure  p  is  labeled 
En.o  I  9n,o-  Label  the  nth  call  to  a  procedure  which  is  m  calls  away  from  a  recursive 
call  to  procedure  E  \  p,  E^^m  \  (]n,m-  Property  R{E  |^_j  T)  holds  for  each  call 
En.m  {''  Qn,m  if  't  Can  be  shown  that,  for  0  <  ?'  <  m,  /?(£'„,,  |^_i  qn.i)- 

Prove  R{En,,  \^_i  qn,i),  0  <  i  <  m,  for  any  ??,  by  induction  on  i.  First  show 
RiEri.o  Ib-i  <7n,o),  i-e.  R{En,o  \l_x  p),  using  the  inductive  hypothesis  on  b.  For  0  <  z  < 
m,  proc  qn.,  Cn,,;Un.i  end  6  En.z  and  £„,,  |  Un,,  distinguished,  show  R(En,i  \l_i  qn,,) 
follows  from  R(En,i  |t_i  Un.t)- 

It  ill  have  been  shown  that  R{En,i  \l_x  Un,i)  holds  for  the  non-call  constructs. 
Since  the  cycles  are  simple  and  h  =  Q  the  only  calls  in  f/„,,  are  calls  of  the  form 
En',i-\  I  9n',i-i-  The  property  R{En',i-i  \l_i  q„',,-i)  holds  for  these  calls  by  induction 
on  i. 

Let  h  >  0.  The  proof  that  R{E  \  p)  holds  where  h  >  0  is  similar  to  the  proof  that 
R{E  \  p)  holds  where  h  —  0  except  that  an  additional  case  is  needed  to  inductively 
prove  some  of  the  equations.  Only  these  additional  cases  will  be  discussed. 
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Say  E  \  p  \s  not  a  start  node.  In  proving  R{E  |  T)  the  procedure  body  T  may 
contain  a  procedure  call.  The  height  of  the  di-graph  for  this  call  will  be  less  than  h. 
Thus,  R{E  I  T)  holds  for  this  call  by  induction  on  h. 

Say  E  \  p  is  the  start  node  of  one  or  more  cycles.  In  proving  R{E  \  T)  the 
procedure  body  T  may  contain  one  or  more  calls  to  a  procedure  w^hose  node  is  not 
on  the  cycle.  Show  that  for  such  a  call  q,  R{E  |^_i  q)  follows  from  R{E  |  q).  The 
height  of  the  E  |  q  di-graph  will  be  less  than  h.  Thus,  R(E  \  q)  holds  by  induction 
on  h. 

In  proving  R{E  \l_^  T)  for  a  call  to  the  next  node  on  a  cycle  R[En.,  \l_x  Un.i) 
must  be  proved.  Here  Un,i  may  contain  one  or  more  calls  to  a  procedure  whose  node 
is  not  on  the  cycle.  This  case  is  handled  as  it  was  in  the  previous  paragraph. 

The  above  shows  how  to  prove  a  property  of  Cq  programs.    Thus,  we  have  a 

programming  language,  which  includes  a  powerful  form  of  recursion,  yet  for  which 

properties  can  be  proved  using  simple,  yet  tedious,  nested  inductions. 

Lemma  39  (Substitution  Lemma)  For  a  program  unit  E  \  S  and  a  substitution  p 
which  is  injective  on  free{niin(E  \  S)) 

E^{{E\S)p){s)  =  i^^(E\S))p(s). 

Proof:  This  lemma  is  straightforwardly  proved  using  the  technique  given  in  the  ex- 
ample proof.  □ 

Lemma  4O  For  a  program  unit  E  \  S,  'EriE  \  S)  is  a  program  function  on 
fre€{min{E  \  S)). 

Proof:  It  is  shown  that  E^{E  \  S)  is  PR  for  J  an  interpretation  on  A^  in  the  following 
section.  It  can  be  shown  that  S-^(£  |  S)  is  stable  and  aloof,  with  respects  to  its 
inactive  variables,  as  it  was  in  Chapter  2.  □ 
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The  following  properties  of  program  functions  are  useful  in  proving  the  soundness 
of  the  new  verification  system. 
Lemma  4I   (Extension  to  Lemma  8)  Let  f  be  a  program  function  on  X. 

1.  fiP[x/y\)  C  Q[x/y\  ^  f(P)  C  Q  where  x  H  X  =  <!)  and  yH  X  =  0. 

2.  f{P[e/y\)  C  g  ^  /(P)  C  Q  where  yH  {X  U  free{Q))  =  0. 


Proof: 

1.  Assume  f{P)  C  Q,  x^.  n  X  =  0  and  y^  n  X  =  0.    Let  {s{xk)/yk}  denote  the 
replacement  {s(xi), s{xk)/yu i/t}. 

s  e  Stj{P[x/y]) 

=>  s{s(ft)//7fc}  e  StjiP)  Corollary  3 

=^  f{s{s{xk)/yk})  e  StjiQ)  Assumption 

^  (f{s)){s{xk)/yk}  e  StjiQ)  f  is  stable 

=>  f(s)eStj{Q[xk/yk])  Corollary  3 

2.  Assume  f(P)  C  Q  and  y^  H  (X  U  free{Q))  =  0. 

s  e  Stj{P[ek/yk]) 

=>    s{J(ei)(s),...,J(e,)(s)/yi,...,yi}  e%(P)  Corollary  3 

=^     f{s{I{ei){s),...,J{ek){s)/yu...,yk})  e  StjiQ)     Assumption 

=>    fis)e  StjiQ)  y,nfree(g)  =  0 

D 


4.4     Cq  Computes  the  Class  of  PR  Functions 

In  the  last  two  chapters  the  function  gs  was  defined  which  simulated  program 
segment  S.     In  this  chapter  g^r^s  will  simulate  program  unit  E   \   S.     Define  the 
function  gE\six)  ^^  follows. 
S  =  X,  :=  e     gE\six)  =  setj:,ie,x) 


67 

5  =  Si;S2    gE\s{^)  =  9e\S2{9e\Si{j-')) 

S  =  loop  e;  Si  end     gE\s(x)  -  g^Eis'i  i^) 

S  =  begin  x,;5i  end     gsisi^)  =  d.rop:r,{gE\sA^'^'^T,ia-, x))) 

5  =  begin  £'i;5i  end     gE]s{x)  =  gE'\Si{-r)  where  E' =  Add{Ei,E) 

S  =  p  where  proc  p  e;T  end  G  E 

j  gE\T{^)  if  £■  I  p  is  not  a  start  node 

9e\p\    I  —  S    rE]p{ge{x),x)     if  E  |  p  is  a  start  node 

where  r£;|p(6,x)  =  <^    ^        ,,       .  /).      i      u     -ft^n     and  5e|ps  is  defined  as 

follows. 

5  =  x,  :=  e     gE\Ps{b,x,rE'\p{b,x))  =  set^X^.x) 

S  =  Si-S2 

9E\ps{b,  X,  rE'\p{b,x))  =  gE\psA^^  9e\ps,  {b,  x,  rE'\p{b,  x)),  rE'\p{b,9E\ps^  {b,  x,  rE'\p{b,x)))) 

S  =  loop  e;5i  end     gE\ps{b,x.rE'\p{b,x))  =  f/^^^^  {x) 
S  =  begin  x;;  Si  end 

gE\Ps{b.,  X,  rE'\p{b,  x))  =  drop^,  {9e\ps,  {b,  add^X^^,  x),  rE'\p{b,  addj^^a,  x)))) 

5  =  begin  E^ ;  Si  end 

9E\ps{b,x,rE'\p{b,x))  =  gE"\ps{b,x,rE'\p(b,x))  where  E"  =  Add{Eu  E) 

S  =  q  where  proc  q  e;T  end  6  E 

rE'\p{b,x)  ifg  =  P 

(7£;|p,(6,x,r£;'ip(6,x))  =  \    cjE\PT{b.x,rE'\p{b,x))    if  7  is  on  p's  cycle,  9  ^  p 

5£;i,(x)  if  q  is  not  on  p's  cycle 
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Notice  that  for  min{E  |  p)  =  min{E'  \  p),  rE\p{b,x)  =  r£;/|p(6,  x).    With  the  above 

definition  we  can  now  prove. 

Lemma  42  For  program,  unit  E  \  S  where  free{min{E  |  5"))  =  X 

gE\s{c{s\X))^c{y:^{E\S){s)\X). 

Proof:  Let  7  =  c{s\X).  This  proof  uses  the  technique  given  in  the  example  proof 
on  page  63.  It  involves  a  number  of  inductions  on  a  program  unit  E  \  S.  In  each 
context  the  treatment  of  the  non-call  constructs  is  the  same.  In  these  contexts  the 
following  holds  for  the  non-call  constructs. 

gE\sh)  =  c(E^{E\S){s)\X)  (4.1) 

5E|ps(6,7,rE|p(6,7))  =  c{E^iE  \l  S){s)\X)  (4.2) 

The  proof  of  equations  4.1  and  4.2  are  similar.  The  proof  of  equation  4.2  will  be 
given. 


5  =  X,  :=  e 


9E\ps{b,f^rE\p{b,f))     =  .setr,{e,'y) 

=  c{s{Iie){s)/x,}\X) 

-  c(assjgnj(x,,  e)(s)[X) 

=  c{E^{E\lS){s}\X) 


S  =  Sv,S2 


9E\Psib,'r,rE\p{bn)) 

=    9E\pS2{b, gE\ps,  [b,  f,  rE\p{b,  7)),  rE\p{b,gE\ps,  (b,  7,  rE\p[b,  7)))) 

=    gEiPsAb,c{E^iE  \l  S,){s)\X),rE\p{b,ci^^{E  \l  S^){s)lX))) 

=    ciL^iE\lS2)o(^^{E\lS,){s))\X) 

=    c{compj(E^iE  \l  S,),^^iE  \l  S2ms)\X) 

=    c(^^{E\lS)is)\X) 
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S  =  loop  e;  5i  end  First  prove  g^iSiil)  ~  c(T,-^{E  \  5i)''(s)[X)  by  induction  on  d. 
From  ttiat  result  the  following  holds. 


gE\ps{b,'r,rE\p{b,'r))     =    g|5^'(7) 


.Oj 

=    c(Y.'^{E\lS){s)\X) 


c(ioopj(e,E^(^|5a))(s)rX) 


5"  =  begin  x,\  Sy  end 


gElPsib.-r.rEipib.j)) 

=     dropr,  (gE\psAb-  addr^(a,-f),  r£;|p(6,  add:r,{a,  7)))) 
_      drop^,{gE\psAb.c(s{I{a)/x,}\XU  {x,}), 
rEUb,c{s{Iia)/x,}\XU{x,})))) 

=  drop^M^^iE  \l  S,){s{I{a)lxi])\X  U  {x,})) 

=  c((S^(E  |^5,)(sma)M})){J(x.)(s)/a:.}[X) 

=  c{hlockj{x,,^^{E\lS,)){s)\X) 

=  c(E^{E\lS){s)\X) 

S  =  begin  Ei;  Si  end 

gE\Ps{bn-,rE\p{b,l))     =    gE'\psAk-f,rE\p{b,-/))  where  E'  =  AddiEuE) 

=    c{E^{E'\lSi){s)\X) 
=    c{^^{E\lS){s)\X) 

The  above  proof  sections  will  be  referred  to  multiple  times  in  the  proof  of  this  lemma. 

The  proof  of  equation  4.1  shows  that  the  lemma  holds  for  the  non-call  constructs. 
All  that  is  left  to  show  is  that  the  lemma  holds  for  the  call  E  \  p.  Prove  this  by 
induction  on  the  height  h  of  the  E  \  p  di-graph.  Let  proc  p  e;T  end  G  E. 

Say  h  =  0  and  the  call  £"  |  p  is  not  the  start  node  of  a  cycle.  If  it  can  be  shown 
that 

gE\T{'r)  =  c{E^{E\T){s)\X)  (4.3) 


then  the  following  holds. 

gE\p{i)    =   gE\Th) 

=    c{L^iE\T){s)\X) 
=    c{^^{E\p)(s)\X) 

Equation  4.3  has  been  proved  for  the  non-call  constructs.   Since  h  —  0  there  are  no 

calls  in  procedure  body  T. 

Say  h  =  0  and  the  call  £^  |  p  is  the  start  node  of  one  or  more  cycles.  If  it  can  be 

proved  that 

rEi,{b,f)=c{i:^(E\pb)(s)\X)  (4.4) 


then  the  following  holds. 

9E]ph)     =     rE\p(ge(l),j) 
=     rE\p{I{e){s),f) 

=    c(E^iE\pJ{e){sms)\X) 

=    c(^^{E\p)is)\X) 

Prove  equation  4.4  by  induction  on  h.  For  6  =  0 

rE\p{bri)     =     7 

=     c{id(s)\X) 

=    c{E^(E\pb){s)\X). 
Suppose  that  6  >  0.  If  it  can  be  shown  that  for  T  distinguished 

gEMb-hl,rEip{b-l,j))  =  c(^^{E  \l_,  T){s)\X)  (4.5) 

then  the  following  holds. 

rE\p{b,7)     =  gE\PT{b-  l.'),rE\p{b-  l,f)) 

=  c(^^iE\l_,T){s)\X) 

=  c{E^iE\l_,C{T))is)\X) 

=  c(Z^{E\pb)is)\X) 

The  proof  of  equation  4.2  shows  that  equation  4.5  holds  for  the  non-call  constructs. 

Since  h  =  0,  calls  in  procedure  body  T  can  only  be  to  the  first  node  on  a  cycle. 
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Consider  the  cycles  on  node  E  \  p.  Label  the  calls  participating  in  these  cycles 
according  to  how  many  calls  there  are  between  the  edge  representing  this  call  and 
the  edge  entering  node  E  \  p.  That  is,  the  nth  call  directly  to  procedure  p  is  labeled 
En,o  I  9n,o-  Label  the  nth  call  to  a  procedure  which  is  m  calls  away  from  a  recursive 
call  to  procedure  E  \  p,  En,m  \  (]n,m-  Equation  4.5  holds  for  each  call  En,m  \  9n,m  if  it 
can  be  shown  that,  for  0  <  i  <  /n.  the  following  holds. 

5£„.|P,„,(6-  l,7,r£|p(6-  1,7))  =  c(S^(£„,  1^1  qn,){s)\X)  (4.6) 

This  will  be  proven  for  any  n  by  induction  on  i. 
For  z  =  0  if  it  can  be  shown  that 

rE|p(6-  1.7)  =  c(S^(i?  \pb-  l)is)\X)  (4.7) 

then  the  following  holds. 

^£n,o|''qn.o(^-    ^7,r£|p(^-    1<7))        =        i^En.o  1^  p(  ^  "    ^  '  7,  ^E|p(  ^  -    1  ,  7  )  ) 

=  r£;|p(6-l,7) 

=  c(E^iE\pb-l){s)\X) 

=  c{E^iE^.o\qn.ob-l){s)\X) 

=  c{E^iEn.o\l,qn.o){s)\X) 

Equation  4.7  holds  by  induction  on  b. 

Let  0  <  I  <  m  and  proc  qn.,  e„,i]  Rn.,  end  £  £„,,.  If  it  can  be  shown  that  for  /?„,, 
distinguished 

^E„,|pfi„,(^-  1.7,rEip(&-  1.7))  =  c(S^(£„,  \l_,  Rn,,){s)\X)  (4.8) 

then  the  following  holds. 

9E„,\pg„,{b-l,-f,rE\p{b-l,-f))     =  i?E„.|Pfi„.(6-1.7,rE|p(6-l,7)) 

=  c[T?^(Er.,\UR.,){s)\X) 

=  c(S^(£„,  |^iC(/2„,))(s)rX) 

=  c(S^(£„,  |^i7„,)(s)[X) 
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Equation  4.8  holds  for  the  non-call  constructs.  Since  the  cycles  are  simple  and  h  =  0 
the  only  calls  in  i?„,,  are  calls  of  the  form  £'„',,_i  |  qn',t-i-  Equation  4.8  is  proved  for 
these  calls  by  induction  on  i. 

Let  h  >  0.  The  proof  that  the  lemma  holds  for  the  call  E  |  p  where  h  >  0  \s 
similar  to  the  proof  that  the  lemma  holds  for  the  call  E  |  p  where  h  —  0  except  that 
an  additional  case  is  needed  to  inductively  prove  some  of  the  equations.  Only  these 
additional  cases  will  be  discussed. 

Say  £"  I  p  is  not  a  start  node.  In  proving  equation  4.3  the  procedure  body  T  may 
contain  a  procedure  call.  The  height  of  the  di-graph  for  this  call  will  be  less  than  h. 
Thus,  equation  4.3  holds  for  this  call  by  induction  on  h. 

Say  £■  I  p  is  the  start  node  of  one  or  more  cycles.  In  proving  equation  4.5  the 
procedure  body  T  may  contain  one  or  more  calls  to  a  procedure  whose  node  is  not 
on  the  cycle.  If  it  can  be  shown  that 

gs\,(i)  =  c(E^(E\q){s)\X)  (4.9) 

then  the  following  holds. 

gE\Pg{b-   1,1, TE\p[b-   I,  '())       =      OElqil) 

=     c{E^{E\q){s)\X) 
=     c{^^{E\l_,q){s)\X) 

The  height  of  the  E  \  q  di-graph  will  be  less  than  h.  Thus,  equation  4.9  holds  by 
induction  on  h. 

In  proving  equation  4.5  for  a  call  to  the  next  node  on  a  cycle  equation  4.8  must 
be  proved.  Here  /?„,,  may  contain  one  or  more  calls  to  a  procedure  whose  node  is  not 
on  the  cycle.  This  case  is  handled  as  it  was  in  the  previous  paragraph.  □ 

The  proof  of  Lemma  42  would  be  simpler  if  the  function  being  recursively  defined 
corresponded  to  a  procedure  body.  Instead  the  function  corresponds  to  those  proce- 
dures which  make  up  a  cycle.  In  this  chapter,  the  sequence  of  procedures  making  up 
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a  cycle  can  be  reduced  to  a  single  procedure  by  replacing  each  procedure  call  to  an 
inner  node  with  its  procedure  body.  Such  a  translation  makes  all  recursive  calls  di- 
rect. This  translation  always  occur  for  program  segments  in  Cq  whose  call  di-graphs 
contain  only  simple  cycles.  While  this  translation  is  possible  for  a  PR  language  with 
pareimeterless  procedures,  or  a  PR  language  with  variable  parameters,  it  is  not  pos- 
sible for  a  language  with  procedure  parameters.  Therefore  such  a  translation  will  not 
be  utilized  here. 

Theorem  43  The  class  of  functions  computed  by  Cn  program,s  is  the  class  of  PR 
functions. 

Proof:  Notice  that  for  an  Cq  program  x  =  (5,  r),  S  ^  Sj.  where  Sd  is  distinguished 
and  {ree{S)=X 

c(s2^(7r)(s)[A')=g0|s,(c(srX)). 

It  can  be  seen  from  the  definition  that  the  function  gE\s  is  PR.  Therefore  each  Cq 
program  tt  computes  a  PR  function.  Cq  is  an  extension  of  £q  and  there  is  a  program 
in  £q  which  computes  every  PR  function.  Thus,  the  class  of  PR  functions  and  the 
class  of  functions  computed  by  Cq  programs  are  equivalent.  □ 

4.5     Verification  of  Cq  programs 

The  verification  systems  Hpj^  and  Hg  consisted  of  Hoare  statements  on  program 
segments.  It  is  straightforward  to  modify  these  to  Hoare  Statements  on  program 
units  and  bounded  recursive  units.  In  addition  Hq  contains  rules  to  verify  Hoare 
statements  about  parameterless  procedures.  The  verification  system  T-Lq  for  the  new 
language  Cq  follows. 
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Program  Rule 


{P}^  I  S,{Q] 

{P]AQ] 

for  -K  =  [S,z),S 


Sd  and  Sd  distinguished. 


Assignment  Axiom 


Composition  Rule 


Invariance  Rule 


Iteration  Rule 


Consequence  Rule 


{P[e/x]}E\x:=e{P} 


{P]E\S,{R},{R}E\S2{Q} 
{P}E\S\-S2{Q} 


{P}E\S{Q] 


{P  AR}E  I  S{QaR} 

for  free(R)  n  free{min{E  \  S)) 


{P[y/x]  A0<, J  <e}E\S{P[s{y)/x]} 
{P{0/x]}E  I  loop  e:.S'end{P[e/x]} 

for  X  ^  v'ar(e)  U  free{min{E  \  S))  and 
y  0  var(e)  U  free{mm{E  \  S))  U  free{P). 


P,-^P{P]E\S{Q},Q^Q, 


{P,}E\S{Q,} 


Variable  Declaration  Rule 


{P[y/x]Ax  =  a}E\S{Q[y/x]} 
{P}E  I  beginx:5end{Q} 

for  y  ^  free[Py  Q)  U  free{min{E  \  S)). 
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Procedure  Declaration  Rule 

{P]E'  I  S{Q} 


{P]E  I  begin  £i;5end{g} 
for  £'  =  Add{EuE). 


Environment  Rule 


{P)E'\S{Q] 
{P]E\S{Q] 

for  mm{E  \  S)  =  min{E'  \  S). 


Non-Recursive  Procedure  Call  Rule 
{P]E\S{Q] 


{P]E\p{Q} 

for  E  I  p  not  a  start  node  and  proc  p  e;S  end  G  E. 

Recursive  Procedure  Call  Rule 

P[0/iv]  ->  Q[0/iol 

{{P[v  -  l/w]  A  0  <  V  <  e]E  |^_i  p{Q[v  -1/w]A0  <v<e} 

\-^     {P[v/w]AO<  v<  e]E\l_i  S{Q[v/w]  AO<v<e}) 

{P[e/w]}E\p{Q[e/w]} 

for  proc  p  e;S  end  G  E  and  v  ^  free(min{E  |  />))  U  {ree{P  V  Q). 

Rules  to  prove  Hoare  triples  for  recursive  program  units  E  \l  S. 

Assignment  Axiom 

{P[e/x]}E\U:=e{P} 

Composition  Rule 

{P}E\IS,{R}AR}E\IS-2{Q} 
{P}E\IS,;S,{Q} 
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Invariance  Rule 


{P}E\IS{Q} 


Iteration  Rule 


Consequence  Rule 


{PAR}E\IS{QAR} 

for  freeiR)  D  free{min{E  |p  5)) 


{P[y/x]  AO  <  y  <  e]E  \l  S{P[siy)/x]} 
{P[0/x]}E  \l  loop  e;  S  end{P[e/x]} 

for  X  ^  varie)  U  free{min{E  |p  5))  and 
y  ^  var(e)  U  free{min(E  {"  S))\J  free{P). 


Pi^PAP}E\lS{Q},Q^Qr 


{P^}E\IS{Q,} 


Variable  Declaration  Rule 


{P[y/x]Ax  =  a}E\lS{Q[y/x]} 
{P]E  \l  begin  x:Send{Q} 
for  y  ^  free{P  V  Q)  U  free{min{E  |p  S)). 


Procedure  Declaration  Rule 


{P}E'\IS{Q} 


Environment  Rule 


{P}E\lhBginEuSend{Q} 
for  E'  =  Add{EuE). 


{P]E'\IS{Q} 
{P}E\IS{Q} 

for  min{E  |p  5)  =  miniE'  |  S). 


Inner  Procedure  Call  Rule 

{P}E\IS{Q} 


{P}E\U{Q} 

for  q  on  p"s  cycle,  q  ^  p  and  proc  q  e;  S  end  G  £^. 
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Off  Cycle  Procedure  Call  Rule 

{P]E\q{Q] 


{P}E\U{Q} 

for  q  not  on  p's  cycle. 


Substitution  Rule  #1 

{P}E\lp{Q} 


{P[x/y\}E\lp{Q{x/y]} 

where  x  H  free{min{E  |p  p)}  =  0  and  y  fl  free{inin{E  \^  p))  —  0. 

Substitution  Rule  #2 

{P]E\lp{Q} 


{P[e/y\}E\lp{Q} 

where  y  n  {free{min{E  {''  p))  U  free{Q))  =  %. 

Notice  that  the  Recursive  Procedure  Call  Rule  refers  to  provability.  A  calculus 
of  sequents  would  be  a  more  formal  presentation  than  the  natural  deduction  system 
given  here.  It  can  be  shown,  however,  that  the  system  presented  can  be  translated 
to  a  calculus  of  sequents. 

The  Recursive  Procedure  Call  Rule  requires  that  a  Hoare  triple  be  proved  as- 
suming the  provability  of  another  Hoare  triple.  Frequently  the  Hoare  triple  which  is 
assumed  needs  to  be  modified  for  the  proof.  The  Invariance  Rule  enables  the  adap- 
tation of  the  assumed  Hoare  triple  for  the  proof.  The  Invariance  Rule  can  be  made 
obsolete  with  slight  modifications  to  Hq  [2].  In  fact,  in  Hq  the  following  weaker 
Invariance  Rule  would  suffice. 

{P]E\lp{Q] 


{P^R]E\lp{Q^R] 

for  free(/?)  H  [ree{min[E  \^  p))  = 
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The  general  Invariance  Rules  are  convenient  however.  Without  these  rules  infor- 
mation needed  about  the  variables  not  used  in  a  program  segment  must  be  carried 
throughout  the  proof.  This  is  the  role  assertion  P  played  in  the  lemma  showing 
the  provability  of  a  SPC  Hoare  triple  in  Chapters  2  and  3.  The  general  Invariance 
Rules  are  included  in  T-Cq  since  extra  information  in  a  proof  tends  to  obscure  what 
is  happening  in  that  proof. 

Call  the  variables  not  used  in  a  procedure  auxiliary  variables  of  that  procedure. 
Here  is  a  description  of  how  the  assumption  resulting  from  an  application  of  the  Re- 
cursive Procedure  Call  Rule  is  typically  modified.  Substitution  Rule  #1  renames  one 
or  more  auxiliary  variables  of  the  assumption.  The  Invariance  Rule  states  that  these 
renamed  variables  are  not  changed  by  the  procedure  call.  The  Consequence  Rule  is 
used  to  remove  the  auxiliary  variables  from  the  postassertion.  Finally,  Substitution 
Rule  #2  is  used  to  replace  the  auxiliary  variables  in  the  preassertion  by  useful  ones. 

For  w  =  proc  p  n;  x  :=  ,t  —  1;  p;  x  :—  x  -{-  1  end;  p,  the  proof  that 

^7^^{.i-  >n  A.r  =  r}7r{x=:  :} 

demonstrates  the  use  of  these  rules.  Auxiliary  variable  ~  is  used  to  show  that  for 
X  >  n  program  k  does  not  change  the  value  of  x.  Let 

E  =  proc  p  n;  x  :=  x  —  I;  p;  x  :=  .r  -(-  1  end. 
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{z  >  n  A  X  =  z}7r{x  =  -} 

T 

Procedure  Declaration  Rule 
{z  >  n  A  X  =  z}E  \  p{x  =  z) 

T 

Consequence  Rule 

{z  >  n  A  X  —  z} E  \  p{z  >  n  A  X  =  z) 

T 

Recursive  Procedure  Call  Rule 
preassertion:   z  >  w  A  x  =  z 
postassertion:   z  >  w  A  x  =  z 

[z  >  0  A  X  =  z)  ^  {z  >  Q  A  X  =  z), 

Assume  {:;  >  )'  —  1  A  x  =  r  A  0  <  t'  <  n}E  \l_-^  p{z  >v  —  lAx  =  zAO<v<n} 
{z>vAx  —  zAO<v<  n]E  |^_i  x  :=  x  —  I;  p;  x  :—  x  +  I 
{z  >  V  A  X  =  z  A  0  <  V  <  n} 

T 

Assignment,  Composition  and  Consequence  Rules 
{z-l>v-lAx^z-lAO<v<  n}E  |^_i  p{z  -l>v-lAx  =  z-\AO<v<n} 


This  final  Hoare  triple  is  the  result  of  replacing  z  everywhere  in  the  assumption 
bv  ^  —  1.  This  is  done  as  follows. 
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{z-l>v-lAx  =  =  -lAO<v<  n}E  \l_i  p 
{c-1  >v-lAx  =  z-lAO<v<n} 

T 

Consequence  Rule 

{z  -  i  >  V  -  I  A  X  =  z  -  I  A  0  <  V  <  n  A  z  -  I  =^  z  -  l]E  \l_i  p 
{z  -  I  >v-lAx  =  z-lAO<v<n} 

T 
Substitution  Rule  #2  with  [z  -  l/d\ 

Remove  the  auxiliary  variable  d  from  the  prea^sertaion. 

{d>v-l  Ax  =  (lAO  <  0  <n  Ad  =  z  -  1}E  \l_■^  p 
{z  ~  I  >  V  ~  \  Ax  =  z  -I  AO  <  V  <n} 

T 
Consequence  Rule 
Remove  the  d  from  the  postassertaion. 

I 
{d  >  V  -  I  A  X  =  d  A  0  <  V  <  n  A  d  =  z  -  1}E  \l_i  p 

{d>v  -  I  Ax  =  d  AO  <  V  <Ji  Ad  =  z  -  1} 

T 

Invariance  Rule 
Form  the  connection  between  the  old  and  new  z. 

{d>  V  ~l  Ax  =  dAO  <  V  <n}E  |^_i  p 
{d  >v  -  I  Ax  =  d  AO  <v  <  n} 

T 

Substitution  Rule  #1  with  [d/z] 

Replace  -  in  the  assumption  bv  the  inactive  variable  d. 

I 

{^  >  I'  -  1  A  a-  =  c  A  0  <  i-  <  n}E  |f_j  p 

{z  >v  -  I  Ax  =  z  AO  <v  <n} 

Assumption 


This  completes  the  example.  Notice  that  the  substitution  rules  would  be  sound  even 
if  procedure  call  p  was  replaced  by  program  segment  J?  in  these  rules.  The  weaker 
substitution  rules  suffice  to  provide  a  complete  verification  system  for  Ti^Q- 
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A  restriction  could  be  placed  on  the  system  that  programs  can  not  make  recursive 

calls  with  a  zero  bound  value.     This  would  require  conditional  statements  in  the 

program,  rather  than  the  bound,  to  control  the  depth  of  recursion.  .A.n  example  of  a 

recursive  procedure  controlled  by  conditional  statements,  and  a  recursive  procedure 

controlled  by  the  bound,  are  given  in  figure  4.5.    Recursive  routines  are  ordinarily 

controlled  by  conditional  statements.  The  role  of  the  bound  should  be  an  assertion  of 

the  maximum  nesting  depth  on  the  routine.  Letting  the  bound  determine  the  depth 

of  the  recursion  creates  a  procedure  more  in  the  flavor  of  iteration  than  recursion. 

Utilizing  the  bound  as  a  control  mechanisim  could  be  considered  a  misuse  of  the 

language.    If  a  guarantee  is  made  that  recursive  calls  will  not  be  made  with  a  zero 

bound,  the  Recursive  Procedure  Call  Rule  simplifies  to  the  following. 

P  -.  QA{P]E  p  p{Q}h^^{P}E  |P  S{Q}) 

{P}E\p{Q} 
for  proc  p  e;  S  end  G  E 

This  guarantee  could  be  verified  by  a  run  time  check  on  the  value  of  the  bound  each 
time  a  recursive  call  is  executed.  This  restriction  can  not  be  guaranteed  syntactically 
however.  Therefore,  recursive  calls  with  a  zero  bound  will  be  allowed  and  the  more 
complicated  Recursive  Procedure  Call  Rule  will  be  used. 

4.6     Soundness  of  Tin 

In  the  previous  two  systems  a  Hoare  statement  {P}S{Q}  is  valid,  in  an  in- 
terpretation J,  if  the  result  of  applying  a  program  function  fs  to  any  state  in  P 
yields  a  state  in  Q.  That  is  ^j{P}S{Q}  if  fs{Stj{P))  C  Stj{Q),  or  in  the 
shorter  form  fs{P)  Q  Q-  I"  the  expanded  system  being  presented,  Hoare  state- 
ments are  of  the  form  {P}E  \  S{Q}  and  {P}E  \l  S{Q}.  Write  \=x{P}E  \  S{Q}  if 
S^(£  I  S)iStj{P))  C  StjiQ),  or  in  the  shorter  form,  i:^{E  \  S){P)  C  Q.  Similarly 
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Recursive  procedure  whose  depth  is  determined  by  a  conditional  statement. 

Hi  =    proc  add  n' 

if    n  >  0    then    n  :=  n  —  I 
add 

n  :=  7?  +  1 
-:=r  +  l 
end 
end 
2  :=  m 
add 


\=X  {«'  ^  n}ni{~  =  n  +  m) 


Recursive  procedure  whose  depth  is  determined  by  the  bound. 

112  =    proc  add  n' 
add 

z:=z  +  l 
end 
z  :=  m 
add 


\=j  {n   =  n}n2{z  =  n  +  m} 
Figure  4.5.  Example  of  types  of  recursive  procedure  control 
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write  \=x{P}E  \l  S{Q}  if  S^(£  1^  S){P)  C  Q.  For  program  tt,  write  \=x{P}Tr{Q} 
ifE^(7r)(P)Cg. 

Recall  that  the  soundness  of  the  Iteration  Rule  implies  that  the  theory  support- 
ing the  Hoare  axioms  and  rules  proves  induction  on  arbitrary  formulas.  A  similar 
situation  exists  for  the  Recursive  Procedure  Call  Rule.  The  Recursive  Procedure  Call 
Rule  where  the  pre-  and  postconditions  are  formulas  from  Il„,  will  be  referred  to  as 
the  S„-Recursive  Procedure  Call  Rule. 

Lemma  44  For  a  complete  theory  T  D  PRA  and  a  Hoare  system  H  which  includes  the 
Assignment  Axiom.,  Consequence.  Composition,  Procedure  Declaration  and  Procedure 
Call  Rules 

1.  ^ri'Recursive  Procedure  Call  Rule  is  sound  =>  T  |-  T,n-induction 

2.  T  \-  Hn+x-induction  =>  T,n-Recursive  Procedure  Call  Rule  is  sound 

Proof: 

1.  The  proof  of  this  implication  uses  the  same  technique  as  the  proof  of  this 
implication  in  Lemma  14.  Recall  that  P(0)  and  V.r(P(T)  -^  P{x  +  1))  are  assumed, 
and  that  P(a)  is  to  be  proven.  The  Hoare  statement  to  be  used  to  prove  P{n)  is  that 
for  TT  =  proc  q  a;q;t  -.=  1  +  1  end;?  :=  0;q,  and  i  ^  free(P),  \--^{P[0/x]}7r{P[a/x]}. 
Let  E  =  proc  q  a;q;i  :=  i  +  I  end. 
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{P[0/x]}7r{P[a/x]} 

T 

Procedure  Declaration  Rule 

{P[0/x]}E\i:=0;q{P[a/x]} 

Assignment  Axiom,  Composition  and  Consequence  Rules 

{{P  A  I  =  x){0/x]}E  I  q{{P  A  I  =  x)[a/x]} 

T 

Recursive  Procedure  Call  Rule 
precondition:  {P  Ai  =  x)[0/x] 
postcondition:  (P  A  i  =  x)[w/x] 

{{P  A  i  =  x)[0/x])  ^({PAt^  x)[0/x]). 

Assume  {(P  A  z  =  x)[0/x]  AO  <v  <a}E  |^,_i  q{{P  A  i  =  x)[v  -  1/x]  A  0  <  v  <  a} 
{{P  Ai  =  x)[0/x]  AO  <v  <a]E  \l_^  q;  i  :=  /  +  1 
^"'^  {{PAi  =  x)[vlx\  A  0  <  i:  <  a} 

T 
Assignment  Axiom,  Composition  and  Consequence  Rules 

I 
{(P  A  I  =  x)[Qlx\  A  0  <  y  <  a]E  |'„_,  q{[P  A  i -\- I  =  .t)[u/i]  A  0  <  u  <  a} 

T 

Consequence  Rule  t  a 

{[P  A  I  =  x)[0/x]  A  0  <  y  <  a}E  \l_^  q{{P  A  j  =  x)[v  -  1/x]  A  0  <  v  <  a} 


The  proof  of  implicaion  a  is  as  follows. 

(P  Ai  =  x)[v-  I/x]  AO  <  V  <a 

=^     P[v  -  i/x]  Ai  =-  V  -  I  AO  <  V  <a 
=^     P[v/x]  At+\=vAO<v<a 
=^     {P  Ai  +  l  ^  x)[v/x]  AO  <  V  <a 

2.        Assume  T  \-   Sn+i-induction.     The  proof  of  the  soundness  of  E„-Recursive 
Procedure  Call  Rule,  using  S„+i -induction,  is  given  in  the  proof  of  the  Soundness 
Theorem. 
D 
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A  Hoare  statement  is  proven  correct  as  follows.  First  consider  the  call  di-graph 
of  each  call  in  the  program  unit.  Reduce  the  cycles  in  these  call  di-graphs  so  that 
the  graphs  become  trees.  Prove  a  Hoare  statement  for  the  leaf  nodes  of  these  trees. 
Using  these  Hoare  statements,  prove  Hoare  statements  for  those  nodes  with  calls 
to  the  leaf  nodes.  Continue  this  way,  working  up  the  tree  until  the  original  Hoare 
statement  has  been  proven.  Proving  Hoare  statements  in  this  way  guarantees  that 
proofs  in  the  antecedent  of  the  Recursive  Procedure  Call  Rule  do  not  require  addi- 
tional applications  of  the  Recursive  Procedure  Call  Rule.  This  is  a  more  restricted 
definition  of  proof  than  the  one  given  by  Olderog.  In  01derog"s  proofs  the  Hoare 
axioms  and  rules  may  be  applied  in  any  order.  Proofs  in  the  PR  system  presented 
here  are  layered  according  to  the  call  structure  of  the  program.  This  is  a  stronger, 
and  more  structured,  notion  of  proof. 
Theorem  45  (Soundness)  For  a  Hoare  triple  {P}E  |  S{Q} 

h^^{P}£  I  S{Q}  ^hp^  {P]E  I  S{Q}. 

Proof:  Prove  this  by  induction  on  the  proof  system  Hq.  The  proof  of  the  soundness 
of  the  rules  translated  from  Hg  can  be  straightforwardly  modified  for  this  section. 
The  proof  of  the  soundness  of  the  Procedure  Declaration,  Environment  and  the  pro- 
cedure call  rules  are  straightforward  from  the  semantics  of  Cq.  The  proof  of  the 
soundness  of  the  substitution  rules  follow  from  Lemma  41.  The  soundess  of  the 
remaining  rules  will  be  shown.  Let  I  be  an  interpretation  of  PA. 

Recursive  Procedure  Call  Rule: 

Assume  [-y^  {P[e/w]}E  \  p{Q{e/w]}  for  proc  q  e;  5  end  G  E  and  E  \  p  the 
start  node  of  one  or  more  cycles.  Then  in  that  proof,  Hpj^^  P[0/w]  ->  Q[0/w] 
and  for  v  ^  {ree{min{E  \  p))  U  free(P  V  Q),  {P[v  -  l/w]  M)  <  v  <  e]E  \l_^ 
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p{Q[v  -  \/w]  A  0  <  u  <  6}^-^  {P[v/w]  AO  <  V  <e}E  \l_i  S{Q[v/iv]}.  Due 
to  our  restricted  notion  of  provability,  the  proof  of  the  above  did  not  require 
an  additional  application  of  the  Recursive  Procedure  Call  Rule.  Therefore,  by 
induction  on  the  soundness  of  the  proof  system,  \=j{P[v  —  llw\  A  0  <  u  < 
^]E  \l-i  p{Q[v  -  \lw]  A  0  <  u  <  e}  implies  ^j{P[vlw]  AQ  <  v  <  e]E  \l_^ 
5{g[i;/H  AO  <v  <e]. 

Let  P  be  a  Sn  formula.  Prove,  by  S„^.i -induction  on  6,  that  for  6  >  0 

^jS^(E  I  p  v){P[vlui\  AO<v<b)C  {Q[v/iv]  AO<v<b).         (4.10) 

Let  6=1.  Since  first  order  logic  is  sound,  \=jP[0/w]  — >  Q[0/w]. 

hjP[0/u;]  ^  Q[0/w] 

=>  ^jid{P[0/iv])CQ{0/w] 


\pO)(P[0/w])  CQ[0/w] 

\'oP){P[OH)CQ[0/w] 

\l-i  P)iP[^'  -  1/H  A  0  <  I'  <  6)  C  {Q[v  -  l/w]  AO  <v<b) 

|^_i  S){P[v/w]  AO  <v  <b)C  (Q[v/w]  AO  <v  <b) 

|P_i  C(S))(P[v/io]  AO  <v  <b)C  {Q[v/w]  AO  <v  <b) 

I  p  v){P[v/iv]  AO  <  V  <b)  C  {Q[v/iu]  AO  <v  <b) 


Assume  the  statement  is  true  for  b. 


\=jY?'{E  I  p  v){P[vlui\  AO  <v  <b)C  [Q[vlw\  AO  <v  <b) 

=>  \=x^^iE  |P  p){P[v/iv]  AO  <v  <b)C  {Q[v/iv]  AO  <v  <b) 

^    hj-"^(^  \l-iP)(Pb'-  1/H  A0<  v<b+l)C 
{Q[v-  l/iu]AO  <  I'  <  6+  1) 

^    NjS^(^  l^l  S){P[v/w]  A  0  <  .  <  6  +  1)  C 
{Q[v/iu]AO  <v<b+l) 
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t=j2^(^  1^1  CiS)){P[v/iu]  AO<v<b+l)C 
{Q[v/w]AO  <  v<b+i) 

=>  \=j;y,^{E  I  p  v){P[v/w]  A  0  <  u  <  6  +  1)  C  {Q[v/w]  AO<v<b+l) 

Prove  \=j^^{E  |  p)(P[e/u;])  C  Q[e/w].  This  holds  if  hjS^C^  I  P  ^{e)(s)) 
{P[e/w])  C  (5[e/u;].  For  J(e)(s)  =  0  the  statement  holds  because  ^jP[0/w]  -> 
Q[0/w].  Say  J(e)(s)  >  0.  Statement  4.10  where  6  =  J(e)(s)  implies  \=j^^{E  \ 
pI{e){s)){P[e/w])CQ[e/iv]. 

Invariance  Rule: 

The  soundness  of  the  Invariance  Rule  for  a  bounded  program  unit  is  shown. 
The  proof  of  the  soundness  of  the  Invariance  Rule  for  a  program  unit  is  similar. 
Assume /ree(/2)nfree(mm(£;  |p  5))  =  0  and  \--^  {PAR]E  \l  S{QAR}.  Then 
in  that  proof,  h^  {P}^  |^  S{Q}.  By  the  inductive  hypothesis  \=x^^iE  \l 
S)iP)  C  Q.  Let  s  e  Stj{P  A  R).  Since  the  program  function  E^(i5  |^  S) 
is  stable.  T.^{E  \l  S){s)  €  Stj{Q  A  R).  Therefore  \=x^^[E  \l  S)[P  A  R)  C 
[QAR). 
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4.7     Completeness  of  Hq 

The  completeness  of  TiQ  is  proven  similarly  to  how  it  was  proven  Chapter  2. 

Lemma  46  Fori  \=  PRA  and  a  Hoare  formula  {P}E  \  S{Q}  where  free{min{E  \  S))  C 
{ree{P)  =  free{Q) 

hj  {P}E  1  S{Q}  ^hj  Vx(P+(.r)  ^  Q^igE\s{x))). 

Proof:     This  proof  uses  the  same  technique  as  was  used  in  Lemma  18  of  Chapter  2. 
D 
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Theorem  47  (Strongest  Postcondition  Theorem)  Given  program  unit  E  \  S  and  as- 
sertion  P  with  free{min(E  \  S))  C  fi-ce{P)  =  X  =  {x,, . . . ,  x^}  the  SPC  of  E  \  S,P 
is 

Q  =  3yfc(Vz  <  k{x,  =  igE\sp{y))y^)  ^  Pp) 

where  p=[yklxk\,   and  y  =^  c{{ii_yi)  ■  ■  ■  {yk_yk)). 

That  is  the  following  hold: 
^-  ^PRA  {P)^  I  S{Q] 
2.  \=pjij^  {P]E  I  S{R]  ^hp/?.4  Q^P 

Proof:     This  proof  uses  the  same  technique  as  was  used  in  the  SPC  Theorem  of 
Chapter  2.  □ 

In  Chapter  2  and  3  showing  the  completeness  of  the  verification  system  required 
showing  the  provabiHty  of  a  SPC  Hoare  triple  for  program  segment  5  and  assertion 
P.  That  is,  it  was  proven  that  for  free(min{S))  C  free(P)  ~  X  —  {xi,...,Xfc}, 
y  =  {yi,  •  •  •  ,yfc},  X  n  ^'  =  0,  ^  =  [yt/ft]  and  y  =  c{y^  yk) 

H^^iV^-  <  k{x,  =  y,)  A  P]S{^i  <  k{x,  =  {gE\sp{y))y^)  A  Pp}. 

Notice  that  Vz  <  k{xi  =  /y,)  A  P  =>  V?  <  A-(x,  =  y,)  A  Pp  and  the  free  variables  of 

Pp  are  disjoint  from  the  free  variables  of  5.  Therefore,  now  that  the  Invariance  Rule 

is  included  in  TYq,  a  simplified  version  of  the  SPC  lioare  triple  suffices  to  show  the 

verification  system  is  complete.  Rather  than  showing  the  provability  of  a  SPC  Hoare 

triple,  the  provability  of  a  most  general  formula,  MGF.  will  be  shown. 

Lemma  48  (MGF)  For  a  program  unit  E  |  5  where  hee{min{E  |  5))  =  X  =  {xi, . . . ,  x^}, 
Y  =  {yi, . . .  ,y/:},  X  n  y  =  0,  p  =  [yt/xi]  and  y  =  c{y^  yk) 

l-H^{Vz  <  A-(x,  =  y,)]E  I  S{^i  <  Hx,  =  {gE\sp{y))y^)}. 
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Proof:  Assume  that  i  goes  from  1  to  k.  The  proof  uses  the  technique  given  in  the 
example  proof  on  page  63.  Induction  on  a  program  unit  E  |  5  is  used  a  number  of 
times  in  this  proof.  In  each  context  the  treatment  of  the  non-call  constructs  is  the 
same.  In  these  contexts  the  following  holds  for  the  non-call  constructs. 

|-^^{x.  =  y,}E  I  S{x,  =  (gE\sp(y))yi}  (4-11) 

\-'}{^{xi  =  y,}E  \l  S{x,  =  {gE\'>sp{b,y,rE'\pp{b,y)))y^} 
for  a  cycle  entered  via  the  call  E'  \  p 

For  5  an  assignment,  composition,  iteration  or  a  variable  declaration  statement, 

proofs  of  the  above  use  the  same  technique  as  was  used  in  proving  Lemma  28  in 

Chapter  2.    Equation  4.11  will  be  proved  for  S  a  procedure  declaration  statement. 

The  proof  of  equation  4.12  for  a  procedure  declaration  statement  is  similar. 

S  =  begin  Ei;  5i  end  and  E'  =  Add{EuE). 

{x,  =  y,}E  I  begin  Ei:S\  end{T,  =  (gsp{y))y^} 

T 

Procedure  Declaration  Rule 
{x,  =  y,]E'\S\{x,^{gsp{y))y^} 

T 

Consequence  Rule 

{.r,  =  y,}E'  I  Si{x,  =  {gE-\SrP{y))yi} 
Inductive  Hypothesis 

The  proof  of  equation  4.1 1  shows  that  the  lemma  holds  for  the  non-call  constructs. 
The  provability  of  a  MGF  for  a  procedure  call  E  \  p  is  left  to  show.  Prove  this 
by  induction  on  the  height  /;  of  the  E  \  p  di-graph.  Notice  that  this  induction 
is  not  occurring  within  the  proof  system.  A  call  di-graph  has  a  fixed  height.  Let 
proc  p  e\T  end  G  E. 
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Assume  h  =  0  and  the  call  E  \  p  \s  not  the  start  node  of  a  cycle. 


{x,  =  y,}E  I  p{x,  =  igE\pP{y))y^} 

T 

Non-Recursive  Procedure  Call  Rule 

I 
{x,  =  y,}E  I  T{x,  =  [gE\vp{y))vi] 

T 

Consequence  Rule 

{a-,  =y,]E\  T{x,  =  [gE\Tp{y))yi} 


The  provability  of  the  above  triple  has  been  shown  for  the  non-call  constructs.  Since 
/i  =  0  there  are  no  calls  in  procedure  body  T. 

Suppose  /i  =  0  and  the  call  £"  |  p  is  the  start  node  of  one  or  more  cycles. 
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{x,  =  y,}E  I  p{x,  =  i(jE\pp{y))y^} 

T 

Consequence  Rule 
Let  d  he  a.  fresh  variable. 

I 
{x,  =  y,  /\d^  e]E  I  p{x,  =  {rE\pp{d,y))yj^  A<f  =  eAO<J<e} 

T 

Recursive  Procedure  Call  Rule 
precondition:  x,  —  yi  A  d  =  w 
postcondition:  Xj  =  (rE\pP{d,y))yi  Ad  =  tuAO<d<e 

(x.  =  y,Ad  =  0)-^  {x,  =  {rE\pP{d,y))y^  Ad  =  OAO<d<e). 

{.r,  =  y,  A  (i  =  t'  -  1  A  0  <  v  <  c}E  |^_i  p{x,  =  {rE\pp{d,y))y^A 

^^^"""^  t/=o-l  AO<d<eAO<i-<e} 

{x,  =^y,Ad  =  V  AO  <  v  <  e)  E  |^_i  r{x,  =  irE\ppid,y))y, 
"rove  ^- 

A(/=yAO<(i<eAO<i;<e} 

T 
Consequence  Rule 

Let  y'  be  the  result  of  extending  code  y  to  include  the  element  {d/_  u), 

p'  =  [yk/xk,d'/v]  and  gE\pTp  be  extended  to  operate  on  the  state  code 

y'  so  that  it  leaves  d'  unchanged.  Let  g  =  gE\pT  ^i^d  f  —  ^ElPp- 

I 
{x.  =  J/.  A  c?  =  V  A  0  <  f/  <  e}£  1^1  T{x,  =  {gp'{v  -  hy',rp'{v  -  l.y')))^A 

d  =  {gp'[v  -  \.y\rp'{v  -  l.y')))<f'  A  0  <  J  <  e} 


This  Hoare  triple  holds  for  the  non-call  constructs  as  follows. 

{x,  =  y,Ad^vA^<d<  e]E  \l_,  T{x,  -  {gp'(v  -  1,  y',  rp'{v  -  1,  y')))y,A 
d  =  {gp'iv  -  i,y\rp'{v  -  l,y')))^ A  0  <  d  <  e] 

T 

Invariance  Rule 

{x,  =  y,  Ad  =  v}E  \l_,  r{x,  =  {gp'(v  -  Uy\rp'(v  -  1,  i/')))y,A 

d={gp'{v-l,y\rp'{v-l,y'))),j} 

MGF 


Since  h  =  0  calls  in  procedure  body  T  can  only  be  to  the  first  node  on  a  cycle. 
Consider  the  cycles  on  node  E  \  p.    Label  the  calls  participating  in  these  cycles  as 
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they  were  labeled  in  the  example  proof.  That  is,  label  them  according  to  how  many 

calls  there  are  between  the  edge  representing  this  call  and  the  edge  entering  node 

E  I  p.  Let  gj  =  gE„  \pq„   ■  The  triple  is  proven  for  each  call  En,m  \^  Qn.m  if  it  can  be 

shown  that,  for  0  <  jf  <  ;;, 

\-f(^{x,^  y,  Ad  =  V  AO  <  d  <  e}En.:,  \l_i  qn,j{-ri  =  {gjp'{v- I, y', 

rp'iv  -  l,y')))yj_Ad  =  {g,p'{v  -  l,y\rp'{v  -  l,y'))k  A  0  <d<e}.         ^^'^   ' 

This  is  proven  for  any  n  by  induction  on  j.  Notice  that  this  induction  is  not  occurring 
within  the  proof  system.  The  length  of  each  of  a  call's  cycles  is  fixed. 
Let  J  =  0. 


{x,  =  y^  A  d  =  V  A  0  <  d  <  e}En,o  \l-i  qn,o{xt  =  {gop'{v  -  l,y', 
rp'(v  -  l,y')))y.  A  (i  =  {gop'iv  -  hy',rp'(v  -  l,y'))k  A  0  <  (i  <  e} 

T 

Environment  Rule 

{xi  =  y,  Ad  =  V  AO  <  d  <  e}E  \l_i  p{xi  =  {gop'{v  -  1,  ?/', 
rp'iv  -  l,y')))y.  A  (/  =  (gop'ii'  -  i,y',rp'{v  -  l.y'))k  A  0  <  c?  <  e} 

T 

Consequence  Rule  t  a 

{x,  =  y,  Ad-  I  =  V-  \  AO  <  V  <e}E  |^_i  p 
{x,  =  {rp{d  -  l.y))y,  Ad-l=v-lAO<d-l<eAO<v<e} 


This  Hoare  triple  is  the  assumption  with  d  replaced  hy  d  —  \.    This  translation  is 
proved  using  the  Substitution,  Invariance  and  Consequence  Rules. 
The  proof  of  implication  a  is  as  follows. 

J,  =  (rp{d-  l.y))y,  Ad-l=^v-\AO<d-l<eAO<v<e 

^     X,  =  {rp{v  -  l,y))y,  Ad-vAO<d<e 

=^     X,  =  {goP{i-'  -  l.y,rp{v  -  Uy)))y,  Ad  =  v  AO  <  d  <  e 

Xi  =  [gop'iv-  I, y', rp'iv  -  l,y')))y^Ad  = 

igop'iv  -  Uy', rp'iv  -  Ly'))U'  AO<d<e 
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Let  0  <  ;  <  m.  proc  q„^j  e„,_,;  /?„,_,  end  €  £„,_,  and  gn^  =  gE„,,\pR„,,- 


{Xi  =  yiAd  =  v]En,j  |^_i  qn,j 
{xi^{g,p\v-l,y\rp'{v-\.y')))y^M={g,p'{v-l,y\rp'[v-l,y')))^} 

T 

Inner  Procedure  Call  Rule 

{x,   =y,  Ad  =  v}En.j    |^_i    Rn.j 

{xi  =  (^jp'l^'-  l,y',V(y-  l.y')))yi^Ad=  {g^p'iv-  l,y\rp'{v  -  l,y')))d^} 

T 

Consequence  Rule 

{xi   =  y,  Ad  =  v}En.,    \l-i    Rn.j 

{x,  =  {gn,p'{v  -  Ly',rp'(v  -  \.y')))y^  A  d  =  ign^p'iv  -  l.y',rp'{v  -  \,y'))U^} 


This  Hoare  triple  is  proven  for  the  non-call  constructs.  The  calls  in  Rn,j  are  of 
the  form  En,j-i  |v_i  <?n,j-i-  The  Hoare  triple  holds  for  these  calls  by  the  inductive 
hypothesis  on  j. 

Let  /i  >  0.  The  proof  that  the  lemma  holds  for  the  call  E  \  p  where  /i  >  0  is 
similar  to  the  proof  that  the  lemma  holds  for  the  call  E  \  p  where  /?  =  0  except  that 
an  additional  case  is  needed  to  inductively  prove  some  of  the  Hoare  triples.  Only 
these  additional  cases  will  be  discussed. 

Suppose  E  \  p  '\s  not  a  start  node.  The  procedure  body  T  may  contain  a  procedure 
call.  The  height  of  the  di-graph  for  this  call  will  be  less  than  h.  Thus,  the  lemma 
holds  for  this  call  by  induction  on  h. 

Say  is  I  p  is  the  start  node  of  one  or  more  cycles.  The  procedure  body  T  may 
contain  one  or  more  calls  to  a  procedure  whose  node  is  not  on  the  cycle.  The  lemma 
is  proven  for  such  a  call  as  follows. 
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{x,  =  y,}E  |P_i  q{x,  =  {gE\p^p'{v  -  \,y',rp'{v  -  l,y')))j^A 
d  =  {9E\pqp'{v  -  1,  y',  rp'{v  -  1,  ?/')))ii} 

T 

Off  Cycle  Procedure  Call  Rule 

I 
{xi  =  yi]E  I  q{x,  =  (i^ir|P,/>'(u  -  l,i/',rp'(t;  -  \,y')))y^h 

d=  [9E\pqp\v-  l,y',rp'{v-  l,2/')))dl} 

T 

Consequence  Rule 

{x,-  =  y,]E  I  q{x,  =  (gE\qp'{y'))y,  ^d=  {gE\qp'iy'))di} 


The  height  of  the  E  |  q  di-graph  will  be  less  than  h.  Thus,  the  above  triple  is  proved 
by  induction  on  h. 

In  proving  the  lemma  for  a  call  to  the  next  node  on  a  cycle  the  procedure  body 
/?T!,t  may  contain  one  or  more  calls  to  a  procedure  whose  node  is  not  on  the  cycle. 
This  case  is  handled  as  it  was  in  the  previous  paragraph.  □ 

Theorem  49  (Completeness)  For  a  Hoare  triple  {P]E  \  S{Q} 

\=PRA  inE  I  S{Q]  ^  \-jic{P)E  1  S{Q]. 

Proof:  Assume  |=pi{^y\  {P]E  \  S{Q].  Without  loss  of  generality,  also  assume 
{ree{mm{E  \  S))  C  h-ee{P)  =  X  =  {xx,...,x,},  Y  =  {2/1,...,^/^},  Xn  Y  =  0, 
P  =  [Vk/xk]  and  y  =  c(y^  1/^). 
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{P]E\S{Q} 

T 
a  I  Consequence  Rule  j  b 

{Vz  <  k{x,  =  y.)  A  Pp}E  I  5{Vz  <  A-(x.  =  (gE\sp{y))y^)  A  P/>} 

_  T 

Invariance  Rule 

{Vi  <  k{x,  =  y,)}E  I  5{V?  <  k{x,  =  {gE\sp{y)W} 

MGF 


Define  P'  from  /'  by  P'  =  Xxki/k-^i-  <  ^■(■Ci  =  Ui)  A  Z'.  Implication  a  holds  since 

The  formula  Vt  <  k{x,  =  {gE\sp{y))yt)  A  P/5  implies  the  strongest  postcondition 
of  £■  I  5"  and  P.  Thus  implication  b  holds  by  part  2  of  the  SPC  Theorem.  □ 


CHAPTER  5 
PARAMETERS 


5.1     Syntax  of  C 


D 


The  language  C^)  has  a  version  of  four  of  the  five  constructs  which  Clarke  iden- 
tified as  problematic.  That  is,  £q  uses  static  scope  and  allows  internal  procedures, 
global  variables  and  bounded  recursion.  In  this  chapter  the  language  is  extended  to 
allow  variable  and  procedure  parameters  using  call  by  name  parameter  passing.  In 
call  by  name  parameter  passing  the  identifier  itself  is  passed  to  a  procedure. 

The  idea  behind  passing  variable  parameters  is  to  allow  a  procedure  to  perform 
a  fixed  set  of  operations  on  various  sets  of  variables.  This  would  be  fairly  straight- 
forward if  the  functionality  of  a  procedure  was  independent  of  the  variables  parsed 
to  it.  This  is  not  necessarily  the  case.  Consider  the  following  procedure. 

proc  add(m,n,j,k) 
J  :=  m 
k  :=  n 

z:=j  +  k 
end 

We  would  like  to  say  that  the  functionality  of  the  procedure  add  is  to  put  the  sum 
of  the  contents  of  the  first  and  second  variables  into  variable  z.  This  is  not  the  case 
for  the  call  add{x,  y,  w,  w).  In  this  case  the  functionality  of  procedure  add  is  to  put  2 
times  the  contents  of  the  second  variable  into  variable  z.  To  avoid  the  above  aliasing 
problem  the  requirement  could  be  made  that  the  varaibles  in  a  variable  parameter  list 
be  distinct  and  different  from  the  free  variables  in  the  environment.  This  restriction 
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is  not  necessary,  however,  because  the  machinery  required  to  work  with  procedure 
parameters  also  handles  such  aliasing  problems. 

Given  a  procedure  call  E  \  p{z  :  f),  the  vector  z  is  the  list  of  variable  parameters 
and  r  the  list  of  procedure  parameters  being  passed  to  p.  It  has  been  proven  [7]  that 
a  universal  programming  language  with  internal  procedures,  global  variables,  static 
scope,  recursion  and  procedures  as  parameters  does  not  have  a  relatively  sound  and 
complete  Hoare  verification  system.  Olderog  showed  that  this  is  due  to  unbounded 
reference  chains.  To  understand  what  function  a  procedure  performs,  it  is  necessary 
to  understand  those  procedures  called  by  the  procedure.  The  reference  chain  of 
a  procedure  call  p  has  an  entry  for  each  call  which  must  be  understood  in  order 
to  understand  the  call  to  p.  This  is  formalized  by  considering  formal  computation 
paths.  These  paths  are  formal  because  they  are  abstracted  from  operations  on  the 
data.  Given  a  program  unit  E  \  5,  define  its  formal  computation  paths  or  computation 
paths 

V:  E\S  =  Ei\S,^  ■■■£„{  Sn 

recursively  as  follows. 
S  =  xr-=e     E\S  ^m 

S  =  Si;S2     E  \  S  ^  E  \  S\  cind  E  \  S  ^  E  \  S-i 
S  =  loop  e;  Si  end     E  \  S  -^  E  \  .S'l 
S  =  begin  X,;  Si  end     E  \  S  -^  E  \  Si 
S  =  begin  £1;  Si  end     £"  |  5  — >  Add{Ei,  E)  \  Si 

S  =  p{z  :  r)  where  proc  p{y  :  t)  e;  T  end  G  E     E  \  S  —^  C{T[z/y,  f/t\) 

Let  A  denote  the  transitive  closure  of  —>■.  Write  E  \  S  -^  E'  \  S'  i(  there  is  a 
path  of  length  i  such  that  E  \  S  =  Ei  \  Si  —^  •  ■  ■  ^  E,  \  S,  =  E'  \  S'.  Clarke's  range 
function  [7]  returns  the  set  of  all  procedure  calls  which  occur  in  a  formal  computation 
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path  of  a  program  unit.    That  is,  range{E  \  S)  =  [E'  \  p{z  :  f)  s.t.  E  \  S  —>■  E'  \ 
p{z:f)}. 

Two  program  units  E  |  S  and  E'  \  S'  are  said  to  be  substitutionally  equivalent  if 
there  is  a  substitution  a  which  is  injective  on  free{min(E  \  S))  where  min{E  \  S)  = 
{min{E'  \  S'))<j.  Asumme  a  similar  definition  for  bounded  program  units.  Olderog 
uses  the  relation  of  substitutional  equivalence  to  split  the  elements  of  Clarke's  range 
into  equivalence  classes.  This  gives  the  index  of  a  program  unit.  That  is,  index{E  \ 


S)  =  {E'  I  piz:  i^  where  E  \  S  ^  E'  \  p{z  :  F)}.  This  is  Olderog's  Ceo-index  [29].  If 
a  language  is  defined  such  that  the  inde.x  of  each  of  its  programs  is  bounded,  Olderog 
says  the  procedure  calls  are  mastered  in  that  language.  Olderog  proved  that,  using 
current  Hoare  systems,  this  mastering  of  procedure  calls  is  the  crucial  factor  in  the 
non-existence  of  a  relatively  sound  and  complete  Hoare  system.  In  general,  it  is 
undecidable  if  a  program's  procedure  calls  are  mastered.  Olderog  presented  a  number 
of  sufficient  conditions  which  restrict  the  language  so  that  calls  are  mastered.  One 
such  condition  is  to  allow  procedures  as  parameters  but  to  disallow  global  formal 
procedure  identifiers.  This  is  the  method  which  will  be  used  here. 

For  variable  identifiers  x,x,  procedure  identifiers  p,r,r' and  an  expression  e  the 
set  of  program  segments  of  £]-)  is  defined  in  Backus-Naur  form  as  follows: 

S      =      X  :=  e    I    S\\S2    I    loop  e:  5]  end   |    B   \   p[x  :  f) 
B      =      begin  x;  .5'  end   |   begin  E;  S  end 
E      =      e    \    proc  p(x  :  r)  e;  5  end    |    E\E2- 

The  procedure  declaration  E  =  proc  p(x  :  f)  e;S  end  bounds  the  variable  iden- 
tifiers X  and  the  procedure  identifiers  r  in  proc  p(x  :  r)  e\S  end.  Identifiers  which 
are  bound  in  this  way  are  referred  to  as  formal.  Other  bound  identifiers  are  referred 
to  as  informal.  A  global  formal  procedure  identifier  is  a  formal  procedure  identifier 
which  occurs  freely  in  some  procedure  declaration. 
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A  call  di-graph  for  the  call  E  |  p{z  :  r)  in  a  distinguished  program  is  constructed 
as  follows.  Let  E  \  p{z  :  t^  be  the  root  node.  For  each  node  E  \  p{z  :  ■T)  in  the  graph, 


where  proc  p{y  :  i)  e;  S  end  G  E  and  r  -  index{E  |  p(£ :  r))  =  {E,  |  p{z^  :  r*)  for  1  < 
i  <  n},  consider  the  body  of  procedure  p,  E  \  S[z/y,f/i]. 

For  E  I  S[z/y,f/i\  =  E'  |  5",  follow  the  directions  for  building  the  call  di-graph 
given  in  Chapter  4  with  the  following  change  for  a  procedure  call.  Assume  we  are 
currently  at  the  node  E  \  p{z  :  f). 

E'  \  S'  =  E'  \  q(iv  :  s)  Three  cases  are  possible.  Either  p  =  q,  there  is  a  node 
E"  I  q{u  :  v)  which  is  a  direct  ancestor  o{  E  \  p{z  :  r),  ov  there  is  no  node  with 
procedure  identifier  q  which  is  a  direct  ancestor  of  E  \  p{z  :  r). 

In  the  first  case  the  call  E'  |  q{iu  :  J^  is  a  direct  recursive  call.  Draw  a  di- 
rected edge  from  node  E  \  p(~  :  t^  to  itself.  Notice  that  it  no  longer  holds  that 
min{E'  \  q{w  :  s))  =  min{E  \  p{z  :  r)).  However,  the  call  £"  \  p{w  :  s)  may  be 
substitutionally  equivalent  to  a  call  already  made  to  this  node.  If  this  is  the 
case  we  are  done.  If  not,  repeat  this  process  for  node  E  \p{z  -.f),  using  program 
unit  E'  I  S[ivly,slt\. 

In  the  second  case  E'  \  q[w  :  s)  is  an  indirect  recursive  call.  Draw  a  directed  edge 
from  node  E  \  p[z  :  f)  to  node  E"  \  q{u  :  v).  Let  proc  q[d  :  6)  e';  T  end  G  E. 
The  call  E'  \  q{w  :  s)  may  be  substitutionally  equivalent  to  a  call  already  made 
to  this  node.  If  this  is  the  case  we  are  done.  If  not,  repeat  this  process  for  node 
E"  I  q[u  :  v),  using  program  unit  E"  \  T[w/d,s/b]. 

In  the  last  case  is'  |  (?(i/;  :  s^  is  a  non-recursive  call.  Create  a  new  node  E'  \ 
q{w  :  s).  Draw  a  directed  edge  from  node  E  \  p{z  :  f)  to  node  E'  \  q{w  :  s)  and 
repeat  the  process  for  this  new  node. 

A  program  in  £q  is  a  block  with  the  following  restrictions: 


100 


•  no  free  procedure  identifiers, 

•  no  global  formal  procedure  identifiers, 

•  the  call  di-graph  of  each  call  contains  only  simple  cycles  and 

•  calls  to  the  next  node  on  a  cycle  do  not  occur  within  the  body  of  a  loop. 


5.2     Semantics  of  C 


D 


The  semantics  of  £q  are  the  same  as  the  semantics  of  Cq  except  for  the  meaning 
of  procdure  calls. 

v^T/ r- I    /-    -^\        I    "^    {E\Tp)  if  £■  I  p(i*:  r)  is  not  a  start  node 

h    [h  I  p(z  :  rj)  =  <       T 

\   H-^ {E  \  ]Az  :  v)  l{t){s))     if  E  I  p( 2:  f)  is  a  start  node 
for  proc  p(y  :  s)  e;  T  end  G  E  and  p  =  \zjy^rls\. 

for  proc  p(y  :  s)  e\T  end  G  E  and  p  =  \zjy^ ^1^- 

r   lP^[E\p[z:f)  b)     \iq  =  p 
i:'^(E\lq{z:r))=\    ^'^ ( E  \l  C{T p))        if  g  is  on  p's  cycle,  g  ^  p 
[   "£1    [ E  \  q[z  :  r))        if  ^  is  not  on  p's  cycle 
for  proc  q{i)  :  s)  e;  T  end  G  E  and  p  =  [^/y,  rjs] 

Lemma  50  (Substitution  Lemma)  For  program  unit  E  \  S  and  substitution  p  which 
is  injective  on  free{min{E  \  S)) 


Proof:     This  lemma  is  straightforwardly  proved  using  the  technique  given  in  the  ex- 
ample proof  on  page  63.  O 


Lemma  51   For   a   program   unit   E    \    S,    5Z    (£"    |    5)    is   a   program  function    on 
free{min{E  \  S)). 
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7"       I        • 
Proof:     It  is  shown  that  E    (i?  |  S)  is  PR  for  J  an  interpretation  on  A'^  in  the  following 

section.    It  can  be  shown  that  E    {E  \  S)  is  stable  and  aloof,  with  respects  to  its 

inactive  variables,  as  it  was  in  Chapter  2.   □ 

The  following  property  of  program  functions  is  useful  in  proving  the  soundness  of 

the  new  verification  system. 

Lemma  52  (Extension  to  Lemma  41)  Let  f  be  a  program  function  on  X  and  p  be  an 
injective  substitution  on  X  U  free{P  V  Q). 

fp{Pp)  CQp^  f(P)  C  Q. 

Proof:     Assume  f{P)   C  Q  and  p  is  an  injective  substitution  on  A'  U  free{P  V  Q). 
First  show  f{sp)  =  {fp{s))p. 

f{sp){w)     =    fpis){p(w))     Def.  pon  f 
=     {fp{s))p{iu)     Def.  p  on  s 

Using  this  show  s  G  Pp  implies  fp{s)  G  Qp. 

s  e  Pp    =»     sp  e  P 

=>   f{sp)^Q 

=>     ifpis))peQ 

=>   fp{s)  e  Qp 
a 


5.3     C^)  Computes  the  Class  of  PR  Functions 

Operational  semantics  are  given  for  programs  in  £j^.  The  next  task  is  to  deter- 
mine, for  each  program,  the  PR  function  which  denotes  that  program.  In  order  to 
do  this  a  single  PR  function  must  be  defined  for  the  initiating  recursive  call  to  a 
procedure,  and  all  subsequent  recursive  calls  to  that  procedure.  This  seems  difficult 
since  the  function  performed  by  a  procedure  which  accepts  procedure  parameters,  de- 
pends upon  the  functions  performed  by  those  procedure  parameters.   In  some  cases 
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different  procedure  parameters  denote  the  same  function.  To  maintain  static  scope  a 
procedure  may  be  declared  multiple  times,  each  with  a  different  procedure  identifier. 
This  creates  the  situation  where  multiple  procedure  identifiers  can  be  passed  to  a 
procedure,  but  the  procedure  body  associated  with  each  of  these  identifiers  is  the 
same.  If  the  bodies  of  those  procedures  passed  as  parameters  perform  arbitrarily 
many  distinct  functions,  however,  the  procedure  itself  may  perform  arbitrarily  many 
distinct  functions.  In  this  case  a  call  to  that  procedure  is  not  mastered.  Olderog 
proved  that  when  global  formal  procedure  identifiers  are  disallowed,  the  calls  are 
mastered.  That  is,  the  number  of  distinct  functions  performed  by  those  procedures 
passed  as  parameters  to  a  procedure,  are  bounded.  This  means  that  given  the  con- 
text of  a  procedure  call  it  is  possible  to  determine  all  functions  which  that  procedure 

body  performs. 

Lemma  53  Given  an  Cq  program,  the  index  of  every  program,  unit  in  that  program  is 
hounded. 

Proof:     The  proof  of  this  lemma  is  due  to  Olderog  [29,  Corollary  7].  □ 

Given  a  program  unit  E  \  p[z  :  f)  define  the  recursive  index,  or  r-index,  of  this 
program  unit  as  those  elements  in  the  index  which  represent  recursive  calls  to  p.  More 


formally  r  —  index(E  \  p{~  :  j^)  =  {E'  \  p{w  :  t)  where  E  \  p(z  :  f)  ^  E'  \  p{w  :  T)]. 

Define  the  function  gE\s  as  in  Chapter  4  modifying  the  definition  for  a  procedure 
call  to  the  following. 

S  =  p{z  :  f]  where  E  \  p[z  :  f)  is  not  a  start  node,  proc  p[y  :  s)  e;T  end  G  E  and 
p  =  [z/y,f/s\. 

3e\p(z:  7^(-^')  =9E\Tp{x) 


S  =  p(z  :  f)  where  E  \  p{z  :  f)  is  a.  start  node.  r—index{E  \  p(z  :  r))  =  {E,  \  p{zi  :  f,) 
for  1  <  i  <n}  and  min{E  \  p{z  :  i^)  =  {min{Em  \  pi^m  '■  rZi)))cT  for  a  an  injec- 

tive  substitution  on  free(min{E  \  p{z  :  t^)),  and  Em  |  pi^m  '■  r^i)  G  r  —  index{E  \ 
p{z:f)). 

f^Eipiz-.f)^"^^  =  ^^E\p[z:i-^^3e[x),xa,m))a-' 
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where  r^|p(  - .  ^{b,  x,  i)  =  r^  i^^ ,-.  .  -^(6,  x)  and  the  functions  r^_|p^^-..  .  ^--^  are  defined 
bv  simultaneous  recursion  as  follows. 


For  1  <  i  <  n  and  6  =  0 
r£.|p(i;:r-;)(0,a:)  =  x. 

For  I  <  I  <  n,b  >  0  and  p,  =  [ri/y,  n/'S] 

'•£:.|p(i;:r-;)(6,x)  =  <7£;,|pTp.(^  -  l.-i'.'"ir,|p(zi:n)(6  -  1- -r ),•••, '■E„|p(zn:rn)(^  -  l.-z^))- 

Let  r,  =  r£;_|p(j;.r-).  Define  the  function  gE\ps  as  follows. 

5  =  x,  :=  e     5rE|P5(6,a:,ri(6,x),...,r„(6,  x))  =  5e<^,(e,x) 
S  =  5'i;S'2     Let  a  =  5'£:|PSi(6,x,  rj(6,a;), . . . ,  r„(6,  x)). 

9E\psib,  x,ri{b,x) rjb.x))  =  ^/eIpSjC^,  f*-  ''i(^  a),  •  •  ■  •  rn{b,  a)) 

S  =  loop  e;5i  end     (7£;|p5(6,  x,  7-i(6,  .r) ,r„(6,.r))  =  ^^^^^  (x) 

5  =  begin  x,;  ^i  end 

9E\psib,  X,  ri(6,  x), . . . ,  r„(6,  x)) 

-  drop^^  {9E\pSi  {b,  addr,[a,x),  ri(6,  add^.ia,  x)), . . . ,  r„(6,  addr,{a,x)))) 

S  =  begin  E^ ;  Si  end 

i7£|ps(6,  X,  ri(6,  x), .  . . ,  r„(6,  x))  =  f/£;'|ps(6,  x,  ri(6,  x), .  . . ,  r„(6,  x)) 
where  £' =  /W(f( El,  ^) 
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5  =  q{z  :  r)  where  proc  q[y  :  s)  e\T  end  G  E  and  p  =  [z/y,  f/s\ 

9E\psib,  X,  ri(i,  i), . . . ,  r„(6,  x)) 

{rm(b,xa))a-^  ioT  E  \p{z:  r)  =      .^     ^ 

^  ^  (fi'm  I  P(2m  :  0)cr  ~ 

5'ElPTp(^a;,ri(6,x),...,r„(6,x))  if  q  is  on  p's  cycle,  q  ^  p 

.  9E\q(z:ni-^)  if  9  is  not  on  p's  cycle 

Lemma  54  For  program,  unit  E  \  S  where  free{min{E  \  S))  =  X 

gE^s{cis\X))=ciE^iE\S){s)\X). 

Proof:     Let  7  =  c(s[X).  This  proof  is  similar  to  the  proof  Lemma  42  in  Chapter  4. 
The  following  is  assumed  to  hold  for  the  non-call  constructs. 

gEish)  =  c{^^{E\S){s)\X)  (5.1) 

5E|P5(^,7,ri(6,7),....r„(6,7,F))  =  c(s2^(E|?5)(s)rX)  (5.2) 

for  a  cycle  entered  via  the  call  {E'  \  p{z  :  r)), 

r  —  index{E'  \  p{z  :  r))  —  {Ei  |  p{z,  :  fl)  for  i  <  i  <  n} 

^"^  ^'  =  ''eM=.  ■■  n)  ^°'  !<'<"• 
The  proof  of  these  equations  for  the  non-call  constructs  uses  the  same  technique  as 
has  been  used  previously.  The  notation  is  more  burdensome  due  to  the  complexity 
of  having  n  distinct  recursive  calls. 

Prove  the  lemma  for  a  call  (E  |  p{z  :  f))  by  induction  on  the  height  h  of  the 
E  I  p{z  :  f)  di-graph.  Let  proc  p{y  :  s)  e\T  end  G  E  and  p  —  [z/y, r/J]. 

Suppose  h  =  0  and  the  call  E  \  p{z  :  r)  \s  not  the  start  node  of  a  cycle.  If  it  can 
be  shown  that 

9E\TAl)  =  c(E^iE\Tp){s)\X)  (5.3) 
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then  the  following  holds. 

=    ci^^{E\Tp){s)\X) 

=    c(E^{E\p(=:f)){s)\X) 

Equation  5.3  holds  for  the  non-call  constructs.    Since  h  =  0  there  are  no  calls  in 
procedure  body  Tp. 

Suppose  h  =  0  and  the  call  E  \  p{z  :  f)  is  the  start  node  of  one  or  more  cycles. 


Say  r  —  index(E  \  p{z  :  r)  =  {E,  \  p(z,  :  i\)  for  i  <  i  <  n}  and  min{E  \  p{z  :  f))  — 
{rnin{Em  \  p{~m  '■  ^m)))o'  for  substitution  a  which  is  injective  on  X  U  Y.    Let  r,  = 

^E.ip(i;:r-:)f°'-i<'^"- 

If  it  can  be  proved  that 

r^(6,7)  =  c(^^{Em  I  p(zZ.  :  r;„)  b)(s)\X)  (5.4) 

then  the  following  holds. 

=  (r„(J(e)(s),7<T))<7-i 

=  {ciE^iE^  I  p{zZ.  :  r- )  I{e)is)){s)\X))a-' 

=  c((E^{E^  I  /)(,-;,  :  r:,)){sa))a-'\X) 

=  c(E^(E„,  \p{zZ,:r:,))a{s)\X) 

=  c(^^{(E^  |p(r;,:r;;)))a(s)|"X) 

=  c(S^((i?|p(~:r)))(s)[X) 

Equation  5.4  is  proved  if  it  can  be  shown  that  for  j,  1   <  J   <  n,  the  following 

holds. 

r,{b,f)=c(^^{E,\p{=-,  :  r-;)  b){s)lX).  (5.5) 

This  is  proved  by  induction  on  b.  For  1  <  j  <  n  and  6  =  0 

'•j(0,7)     ==    7 

=    c{id{s)\X) 

=  c{E^{E,\p{z-'r.n)o){s)\x). 
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Assume  b  >  0.   Let  p,  =  [zj/y^f^/s]  and  g,  =  gE,\PTp,  for  I  <  i  <  n.  If  it  can  be 
shown  that  for  1  <  j  <  n 

g,{b-ln,r^{b-l,'rl...,r^ib-l,-f))  =  c{E^{E,\l_,Tpj){s)\X)  (5.6) 

then  the  following  holds. 

rjib,i)    =    gj{b-l,-f,ri{b-l,f),...,rr,{b-l,'^)) 

=    c(E^iE,\l_,C{TpM^)\X) 
=    c(^^{E,\p{z-:n)b){s)\X) 

The  proof  of  equation  5.2  shows  that  equation  5.6  holds  for  the  non-call  constructs. 

Since  h  =  0,  calls  in  procedure  body  Tpj  can  only  be  to  the  first  node  on  a  cycle. 

Consider  the  cycles  on  node  E  \  p{z  :  f).  As  in  the  proof  of  the  example  on  page  63, 

label  the  calls  participating  in  these  cycles  according  to  how  many  calls  there  are 

between  the  edge  representing  this  call  and  the  edge  entering  node  E   \   p{z  :  r). 

Notice  that  each  call  Ej^o  I  qd.o{~Zo  '■  Td.o)  is  substitutionally  equivalent  to  one  of  the 


E,  I  p{z,  :  7^)  where  E,  \  p{z,  :  ?\)  G  ''  —  index{E  \  p{z  :  r^).  Equation  5.6  holds  for 
each  call  Ed,m  I''  qd,m{zd^m  '■  ''-Tm)  if  it  can  be  shown  that  for  i  >  0 

9E,,,\pq^A^l,:ri,)it^  -  1.7,ri(^-  Ll),....rn{b-  1.7)) 

=  c(S^(£rf,  1^,  q,A=d.  ■■  r7,ms)\X)  (5.7) 

This  wnll  be  proven  by  induction  on  i.  Say  i  =  0  and  min(Ed,o  \  <ld,oizd,o  '■  '''dfi))  = 
(min(Em  \  p{zm  '■  rm)))cr  for  a  an  injective  substitution  on  X  U  Y.  If  it  can  be  shown 
that 

r„(6-  1,7)  =  ci^^iEm  r  P(-;.  :  '-m)  b-l){s)\X)  (5.8) 

then  the  following  holds 

9E^,o\''<,a.o(^a.o-rZo)i^  -  1,  7,  ri(6  -  1,  7), . . . ,  r„(6  -  1,  7)) 
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=    (c{Y?^{E^  \^  p(C  :  r^)  b  -  l){s)\X))a-' 
=    c{{y?^{Em  \U  P(^~-  ■■  r-:n)){s<y))a-^X) 
=    c{{YP^{E^\Up{zZ:r-:n)))a{s)\X) 

=     c(S^((E,,o  1^1  qd,o{zZo  :  rlo)){s)\X) 
Equation  5.8  holds  by  induction  on  b. 

Let  I  >  0,  proc  qd,i('^d,i  ■  ^d,:)  ed,i\Rd,i  end  G  E'^,,  and  /J^,,  =  [zd,ilud,i,r2,ilv2,i]).  If 
it  can  be  shown  that 

9E,,,\pR,,,p,,Xb-  1.7,ri(6-  l,7),...,r„(6-  I.7)) 

=  c{i:'^[EdAURd,Pd,){s)\X)  (5.9) 

then  the  following  holds. 

5£;d,.Nd..(^-d..:rJ,,)(^-    l,7,'-l(^-    1,7),  •••,'■«(&-    1,7)) 

=    5Ed,.l''fid..Pd,.(''-  ^■l.n[b-  l,7),...,r„(6-  1,7)) 

=    c[Y.^{EdAUC{Rd,Pd.i)){s)\X) 
=    c(E^{Ed,  \l_,  qdA=h  ■  r7,ms)\X) 

Equation  5.9  holds  for  the  non-call  constructs.  Since  the  cycles  are  simple  and  h  =  0 
the  only  calls  in  Rd.iPd.i  ^''^  calls  of  the  form  Ed\,-i  |  (ld',i-i(~dCi-i  '■  ^d\i-i)-  Equa- 
tion 5.9  is  proved  for  these  calls  by  induction  on  t. 

Let  h  >  0.  The  proof  that  the  lemma  holds  for  the  call  E  \  p{z  :  f)  where  h  >  0  is 
similar  to  the  proof  that  the  lemma  holds  for  the  call  E  \  p{z  :  r)  where  h  =  0  except 
that  an  additional  case  is  needed  to  inductively  prove  some  of  the  equations.  Only 
these  additional  cases  will  be  discussed. 

Say  E  I  p{~  :  f)  is  not  a  start  node.  In  proving  equation  5.3  the  procedure  body 
Tpj  may  contain  a  procedure  call.  The  height  of  the  di-graph  for  this  call  will  be  less 
than  h.  Thus,  equation  5.3  holds  for  this  call  by  induction  on  h. 
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Say  E  \  p{z  :  f)  IS  the  start  node  of  one  or  more  cycles.  In  proving  equation  5.6 
the  procedure  body  Tpj  may  contain  one  or  more  calls  to  a  procedure  whose  node  is 
not  on  the  cycle.  If  it  can  be  shown  that 

gEM^--Mt)=(=i^^iEj\q{z:ms)\X)  (5.10) 

then  the  following  holds. 

gE,\Pq(z:r)ib-  l,7,ri(6-  l,7),...,r„(6-  1,7)) 

=      gE,\g{z:r)h) 

=     c{E^{E,\q{=:7-^)is)\X) 
=     c{E^{E,\l_,q{=:f)){s)\X) 

The  height  of  the  Ej  \  q{z  :  7^  di-graph  will  be  less  than  h.  Thus,  equation  5.10  holds 

by  induction  on  h. 

In  proving  equation  5.6  for  a  call  to  the  next  node  on  a  cycle  equation  5.9  must 

be  proved.  Here  Rd.iPd.t  may  contain  one  or  more  calls  to  a  procedure  whose  node  is 

not  on  the  cycle.  This  case  is  handled  as  it  was  in  the  previous  paragraph.   □ 

Theorem  55  The  class  of  functions  computed  by  Cn  programs  is  the  class  of  PR 
functions. 

Proof:  Peter  [32]  shows  that  simultaneous  recursion  does  not  lead  out  of  the  class  of 
PR  functions.  The  remainder  of  this  proof  is  the  same  as  the  proof  of  Theorem  43 
in  Chapter  4.  □ 

5.4     Verification  of  £p  Programs 

Define  the  verification  system  ?Yq  as  in  Chapter  4  with  the  rules  involving  proce- 
dures modified  to  accommodate  parameters.  In  addition,  a  third  substitution  rule  is 
given  to  capture  the  notion  of  substitutionally  equivalent  programs.  Let  Ui<j<n(/(i)) 
denote  a  set  of  n  formulas,  /(I), . . . ,  /(rz). 
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Non-Recursive  Procedure  Call  Rule 

{P]E\Sp{Q] 
{P]E\p[z:r){Q] 

{oi  E  \  p{z  :  f)  not  a  start  node,  proc  p{y  :  s)  e;  S  end  G  E  and 
p  =  [z/y,r/s\. 

Recursive  Procedure  Call  Rule 

Ui<j<niP[0/w^,j/w2]  -  Q[0/Wr,j/W2]), 

(Ui<;<n({/'>  -  l/u.^uj/w2]  A  0  <  t'  <  e]E,  \l_,  p[z,  :  V-) 

{Q[v-i|w,,J|^U2\^Q<  v<e]) 

^-H^i^x<J<n[{P[v|w^.Jh^^■2\^^  <  V  <  e}E,  \l_,  Sp, 

{Q[v/ri^i.j/iV2]^0<v<e})) 

{{P[e/io,,m/w2])a}E  \  p(~  :  f){{Q[e/ivu77i/i02])(T} 
for  proc  p(y  :  s)  e;S  end  G  E,  v  ^  free{min{E  \  p{z  :  r)))  U  free{P  V  Q), 
r  -  index{E  |  piz  :  r))  =  {Ej  \  p[z^  :  rj)  for  I  <j  <  n},pj  =  [zjly,fjls\ 
for  1  <  i  <  n  and  min{E  \  p{z  :  r))  =  {min(Em  \  p{zm  ■  Ki)))(^  where  a 
is  an  injective  substitution  on  free{P  V  Q)  U  free{min{E  \  p{z  :  r))). 

Inner  Procedure  Call  Rule 

{P}E\lSp{Q] 


{P]E\lq{xd:t){Q] 

for  q  on  p's  cycle,  q  ^  p,  proc  q(y  :  s)  e:  S  end  €  £"  and 

p  =  [iT}/yJ/s\. 

Off  Cycle  Procedure  Call  Rule 

{P}E\q(w:r){Q} 


{P}E\lq{iv:t){Q} 

for  q  not  on  p's  cycle. 


Substitution  Rule  #1 

{P[S/y]}E\lp{z:r){Q[x/y\} 

where  f  H  free(min(^  |p  p(f :  i^))  =  0  and  y  H  free{min{E  ]"  p{z  :  r)))  =  0. 


no 


Substitution  Rule  #2 

{P}E\lp{~:f]{Q} 


{P[e/y\}E\lp{z:f){Q} 

wiiere  yH  {free{min{E  |p  p{z  :  r)))  U  free{Q))  =  0. 


Substitution  Rule  #3 
{P}E\IS{Q} 


{Pa}E'\lS'{Qa} 

where  Tnin(E'  |  S')  =  {min{E  \  S))a  and  a  is  a  substitution  which  is 
injective  on  {ree{P  V  Q)  U  free(min{E  |p  5)). 


5.5     Soundness  of  "Hj^ 
Theorem  56  (Soundness)  For  a  Hoare  triple  {P}E  \  S{Q} 

h^^{P}£;  I  S{Q}  ^^pA  {P}E  I  S{Q}. 

Proof:  Prove  this  by  induction  on  the  proof  system  Hq.  Each  rule  is  proved  sound  as 
it  was  in  Chapter  4.  The  soundness  of  Substitution  Rule  #3  follows  from  Lemma  52. 
The  proof  of  the  soundness  of  the  Recursive  Procedure  Call  Rule  will  be  given. 

Recursive  Procedure  Call  Rule: 

Assume     l--^     {{P[e/wum/iV2])cr}E        |        p{z  :  f){{Q[e/wi,m/w2])a}      for 
proc  q{y  :  s)  e;  S  end  ^  E,  E  \  p(z  :  i^  a.  start  node,  r  —  index{E  \  p{z  :  r))  = 


{E-i  I  p(i^  :  fj)  for  1  <  J  <  n}  and  min{E  \  p{z  :  f))  =  {min(Em  \  pi^Zi  ■  r7n)))cr 

for  a  an  injective  substitution  on  free{P  V  Q)Llfree{min{E  \  p{z  :  r))).  Let  pj  = 

[zj/y,fj/s\  for  1  <  J  <  n.  In  that  proof,  for  I  <  j  <  n,  l~pi^y\^  P[Q/wi,j/w2]  —>■ 

Q[0/wi,j/w2]  and  for  v  0  free{miniE  \  p(z  :  r)))  U  free{P  V  Q), 

[Ji<:<ni{P[v  -  Ui"uj/i02]  A  0  <  u  <  e}E,  \:_,  piz^  :  r,) 

{Q[v-l/wuj/iO2]A0<v<e}) 

•"TiO  Ui<.<n({/'b/^'^i,j/^^2]  A  0  <  i;  <  e}E,  |:_i  Sp, 

{Q[v/wi,j/w2]f\0  <  v<e}). 


HI 


Due  to  our  restricted  notion  of  provability,  the  above  proof  did  not  require 
an  additional  application  of  the  Recursive  Procedure  Call  Rule.  Therefore,  by 
induction  on  the  soundness  of  the  proof  system 

Ui<i<n([=j{^[^'  -  l/"^i,j/"^2]  A  0  <  u  <  e}E,  \l_,  p{z,  :  f,) 
{Q\v-\lwujho2]^^<v<e]) 

implies 

Ui<j<n([=j{^bM>iM]  A  0  <  i;  <  e]E,  \l_,  Spj 
{Q[v/iuuj/iO2]^0<v<e}). 

The  following  is  proven,  for  1  <  j  <  "  and  6  >  0,  by  induction  on  b  as  in 
Chapter  4. 

\=I^^{E:  I  p(c-;  :  o)  v)(P[v/xouj/w,]  A0<  v  <  b)  C 
iQ[v/wuj/w2]A0<v<b). 

Prove  \=j;^^{E  \  p{=  :  f))i{P[e/wum/iU2])(r)  C  [Q[e/iuum/w2])cr.  This  holds 
if  (=jS^((£;„  I  piz7n  :  r:„))a){iP[e/iv,.m/i,2])a)  C  {Q[e/wum/w2])a.  This 
holds  a  [=j^^ {Em  I  P(zm  :  r;;)  I(e){s)){P[e/ivum/w2])  C  Q[e/im,m/w2].  For 
J(e)(s)  =  0  the  statement  holds  because  \=jP[0/iui,m/w2]  -+  Q[0/wu  771/102]. 
Say  J(e)(s)  >  0.  Statement  5.11,  where  b  =  I{e){s)  and  j  =  m,  implies 
\=jE^(Em  I  p{zm  :  r;j  J(e)(s))(P[e/u;i,m/i/;2])  C  Q[e/w^,m/w2]. 


5.6     Completeness  of  "Hq 

In  order  to  prove  the  completeness  of  ?^p,  show  the  provability  of  a  MGF  for  a 

program  unit  E  \  S. 

Lemma  51  (MGF)  For  a  program  unit  E  \  S  where  free{min(E  \  S))  =  X  =  {xi, . . . ,  0:^}, 
y  =  {yu-. . , yfc},  X  n  Y  =  ^,  p  =  [Vkl^k]  and  y  =  c(y^.  yk) 
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Proof:     Assume  that  i  goes  from  1  to  k.    This  proof  is  similar  to  the  proof  of  the 
MGF  of  Chapter  4.  The  following  is  assumed  to  hold  for  the  non-call  constructs. 

^Hj^ {^.  =  y.}^  I  S{x,  =  (gE\sp{y))m)  (5-12) 

^Tir^  ^^'  =  y'^^  It  ^^^'  =  (9E]psp{b,  y,  np{b,  y), . . . ,  r„^(6,  y)))^^} 
for  a  cycle  entered  via  the  call  E'  \  p{z  :  r),r  —  index(E'  \  p{z  :  r))  =        (5.13) 
{Ej  I  piz]  :  r])  for  I  <  j  <  n]  and  r^  =  rE^\p(z-:r~),  I  <j  <  n. 

The  proof  will  be  given  that  the  lemma  holds  for  a  call  E  \  p{z  :  r)  which  is  the 

start  node  of  one  or  more  cycles  and  where  the  height  of  the  E  \  p(z  :  f)  di-graph  is  0. 

Let  proc  p{y  :  s)  e;T  end  e  E,  r  -  index{E  \  p{z  :  i^)  =  {Ej  \  p(i^  :  f])  for  1  <  j  < 

n}  and  niin{E  \  p{z  :  r^)  =  {mm{Em  \  p{~m  ■  rZv)))o-  for  a  an  injective  substitution 

on  X  U  y.  Let  r  =  rE\p^^:r)-  For  1  <  j  <  n,  let  r^  =  rE^Mr^.r,)  and  pj  =  [£j/y,fj/s\. 

Finally,  say  r  =  ap.  Recall  that  var{e)  n  free{min(E  \  p{z  :  r)))  =  0  so  cr(e)  =  e. 


{x,  =  y,)E  \  p{z:  f){x,  =  {gE\p(z:r)p{y))yi} 

T 
a  I  Consequence  Rule  t  ^ 

Let  d  be  li  fresh  variable. 

u  =  c((yi_yir)---(yfc  ytr)) 

{{xi  =  y,r  A(f  =  e)a}E  \  p{~  :  r){(x,  =  {rp{d,u,m))y^/\  d  =  e)a} 

T 
Recursive  Procedure  Call  Rule 
precondition:  x,  =  y{T  A  d  =  u'l 
postcondition:  x,  =  {rp{d,  u.  iC2))y,  Ad  =  WiAO<d<e 

For  1  <  J  <  n(x,  =  y,T  A  d  ^  0)  ^  (x,  =  {rp{d,u,j))y^  Ad  =  OAO<d<e), 
,  Ui<;<n({^.  =  y.r  A  ^  =  r  -  1  A  0  <  y  <  e}Ej  |^_,  p(i;  :  r';){x.  = 

.Assume  (rp{d,u,j))y^Ad  =  v-  I  AO  <  d  <  e  AO  <  v  <  e]) 


Prove 


Ui<j<k{{^i  =  VtT  Ad  =  vAO<v<  e}Ej  |^_i  Tpj 
{x,  =  {rp{d,uj))jj^  Ad  =  V  AO  <d<eAQ  <v  <e}) 


113 


That  is,  prove  the  above  for  arbitrary  j. 

{xi  =  y,T  A  d  =  V  A  0  <  V  <  e]Ej  |^_i  T/ij 
{a:,  =  {rp{d,u,j))y^  Ad  =  vAO<d<eAO<v<e} 

T 
Consequence  Rule 
Let  y'  be  the  result  of  extending  code  u  to  include  the  element  {d/_  u), 
p'  =  [ykjxk.d' jv]  and  gE  \PT^l  P  be  extended  to  operate  on  the  state  code 
y'  so  that  it  leaves  d'  unchanged.  Let  g  =  gEj\PTfi,- 

I 
{xi  =  y,T  A  d  =  V  A  0  <  d  <  e]Ej  |^_,  Tfij 

{Xi  =  (gp'iv  -i,y\r,p'(v-Ly'),...,  rr,p'{v  -\,y')))y_^A 

d={gp'{v-\,y\rp'{v-\,y'),...,r^p'{v-l,y'))),_^A[^<d<e] 


This  Hoare  triple  holds  for  the  non-call  constructs  as  follows. 


{x,  =  y,T  A  d  =  V  A  Q  <  d  <  e}Ej  |^_i  Tnj 
{x,  =  {gp'iv  -  1,  y',  np'iv  -  l.y'), .  .  . ,  r„^'(t;  -  1,  y')))y.A  T 

d  =  {gp'(v  -  1,  y',  rp'iv  -  1,  y'), ....  r„p'{v  -  1,  y'))k  A  0  <  cf  <  e} 

Invariance  Rule 

{x,  =  y,r  Ar/=  v}Ej  \l_i  Tpj 

{x,  =  {gp'iv  -  1,  y',  np'iv  -  1,  y'), .  . . ,  r^^p'iv  -  1,  y')))y,A 

d  =  {gp'{v  -  1.  y',  np'{v  -  l,y'),  ■  •  • ,  '\,p'{v  -  l.y'))k} 

MGF 


Since  h  —  0  calls  in  procedure  body  Tpj  can  only  be  to  the  first  node  on  a  cycle. 
Consider  the  cycles  on  node  E  \  p{~  :  r^.  Label  the  calls  participating  in  these  cycles 
as  they  were  labeled  in  the  example  proof  on  page  63.  That  is.  label  them  according 
to  how  many  calls  there  are  between  the  edge  representing  this  call  and  the  edge 
entering  node  E  \  p{z  :  f).  The  triple  is  proven  for  each  call  Et.m  \^  qt.mi^Cm  ■  ^(7^)  if 
the  following  can  be  shown  for  0  <  /  <  m.  Let  gi  =  5'E,,,|p?,,,(zr,i:rr.i)- 
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h-^     {x,  =  y,T  A  d  =  V  A  0  <  d  <  e}Et,i  \l_i  qtA^Zl  '■  ^u) 
{x,  =  [gip'iv  -  hy\np'(v  -  l,y'), . . .  ,rr,p'{v  -  hy')))y^A  (5.14) 

d=  {gip'iv-  l,y\rip'iv-  1,  y'), . . . ,  r„p'(t' -  l,2/')))d:A0  <  d  <  e}. 

This  is  proven,  for  any  t,  by  induction  on  /.  Only  the  case  /  =  0  is  given. 

Let  /  =  0,  min{Et^o  \l-i  qt,o{=Zo  ■  ^'lo))  =  (min(Ea  |^_i  p{z*c  :  r;)))7r  and  v  =  np. 


{xi  =  y,T  A  d  =  V  A  0  <  d  <  ejEtfi  l^-i  ^tfii-Zo  ■  ^Zo) 
{j.  =  {goP'(v  -  l,y\rip'{v  -  l,i/'),...,rn(i;  -  l,y')))y^A 
d  =  [gop'iv  -  1,  y',  r.p'iv  -  l.y'), ....  r„p'(u  -  1.  i/'))kA 

0  <d<e} 

T 

c  I  Consequence  Rule  t  d 

Let  u'  =  c{(yj_yiTu)  ■  ■  ■  (yk^ykTi/)) 

{(t,  =  ?/,rj/  A  f/  =  u  A  0  <  u  <  e)7r}£'(,o  |^_i  qtA^Zo  '■  ^^o) 
{(x,  =  [rp\d-  [,u',a))y-  Ad  =  v  AO  <  v  <  e)7r} 

Substitution  Rule  #3 

{xi  =  yiTV  Ad  =  V  AO  <  V  <  e]Ea  |^_i  p{z'a  :  rZ,) 
{.r,  =  {rp'{d-  l,u',a))y,  A(i  =  t»AO<u<e} 

r 

Consequence  Rule 

I 

{.r,  =  ?/,Ti/  A(/-l  =^v-\AO<v<  e}Ec  \l_i  p{zZ  ■  r1) 

{x,  =  {rp{d-  l,u',o))y,  A(i-l=t'-lA0<6;-l<eA0<i;<e} 


This  Hoare  triple  is  the  assumption  with  u  applied  to  yr  and  d  replaced  by  d  —  1. 
This  translation  is  proved  using  the  Substitution,  Invariance  and  Consequence  Rules. 
The  proof  of  implication  a  is  as  follows. 

•!■.  =  yi 

=^  Xi  =  yi  A  d  =  e 

=>  Xi(T  =  j/,r  A  d  =  e 

=>■  (xi  =  yiT  A  d  =  e)a 
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Following  is  a  proof  of  implication  b. 


(xj-  =  {rp{d,  II,  Tn))y^  f\  d  —  e)a 

^     x,a  =  {{{rp{d,u,m))T-^)T)y^ 
=»     x,a  =  {{gE\v(z:r)p{y))r)y^ 

=>   X,  =  {gE\p(T:nPiy))yi 


Following  is  a  proof  of  c. 

i'i  =  Vi'''  Ad  =  vAO<d<e 

=>     .r,7r  =  ij^Tiy  Ad  =  vAO<v<e 
=>     (x,  =  y,Ti/  Ad  =  vAO<v<  e)7r 

Here  is  the  proof  of  d. 

(x,  =  {rp'{d  —  1,  u\a))y^  Ad  =  vAO<v<  e)7r 

=>     x.TT  =  {{{rp'{d  -  l,u',a))i/~^)i/)y^  Ad  —  vAO<v<e 

x.TT  =  ({gop'{d-  i,y',rip'(d-  l,y'),..., 
"^      rr,p'{d-l,y')))u)y^Ad  =  vAO<v<e 

Xi  =  [goP'i^  -  l,y'.,rip'{v  -  l,2/'),...,r„p'(t;-  \,y')))y^A 
^       d  =  {gop'{v  -  l,y\rip'iv  -  1,  j/'), . . .  ,rn/(t;  -  l,y'))kA 

0  <  t'  <  e 

Theorem  58  (Completeness)  For  a  Hoare  triple  {P}E  \  S{Q} 

\=p^^  {P]E  I  S{Q}  =>  H^^{P}i?  I  S{Q}. 

Proof:     This  proof  uses  the  same  technique  as  was  used  to  prove  the  Completeness 
Theorem  of  Chapter  4.  □ 


CHAPTER  6 
CONCLUSION 


The  system  presented  in  this  disertation  has  the  following  property.  Given  a  pro- 
gram in  the  language,  its  input/output  relation  is  described  by  a  primitive  recursive 
function.  Call  this  function  the  program's  function.  Similarly,  the  input/output  rela- 
tion of  every  construct  in  the  program  is  described  by  a  primitive  recursive  function. 
Call  these  functions  the  constructs'  functions.  The  way  the  constructs  are  grouped 
together  to  make  up  the  program,  corresponds  to  the  way  the  program's  function 
is  built  from  the  construct's  functions.  There  is  also  an  axiom  in  Primitive  Recur- 
sive Arithmetic  corresponding  to  each  construction.  Thus,  while  the  syntax  of  the 
programming  language  presented  here  differs  little  from  an  ALGOL-like  language, 
basing  the  language  on  Primitive  Recursive  Arithmetic  caused  the  syntax  of  the  a 
program  to  correspond  to  the  structure  of  the  function  which  describes  that  program. 
In  other  systems  it  may  be  possible  to  find  a  function  which  describes  a  program, 
but  this  function  may  have  no  relation  to  the  syntactical  structure  of  that  program. 

The  guidelines  for  restricting  recursion  in  the  language  were  provided  by  Primitive 
Recursive  Arithmetic.  In  order  to  guarantee  that  all  programs  in  the  language  can 
be  described  by  a  primitive  recursive  function,  restrictions  had  to  be  made  so  that 
all  recursive  calls  would  be  cleanly  nested.  This  required  the  elimination  of  mutually 
recursive  calls  and  a  recursive  routine  making  a  call  to  its  parent.  The  result  is  a 
language  for  which  all  call  di-graphs  can  be  translated  into  trees.  Hence,  proofs  can 
be  layered.  Hoare  triples  for  the  leaf  nodes  are  proved  first.  These  triples  are  used 
to  prove  Hoare  triples  for  the  nodes  calling  the  leaf  nodes.    In  this  way  one  moves 
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up  the  tree,  or  down  the  tree  as  some  people  prefer  to  see  it,  until  a  Hoare  triple  is 
proved  for  the  root  of  the  tree. 

Basing  a  language  on  Primitive  Recursive  Arithmetic  also  provided  the  impetus 
to  bring  verificational  issues  into  the  development  process.  Specifically,  it  forces  an 
expression  for  the  number  of  iterations  of  a  loop  to  be  given  when  that  loop  is  en- 
tered. Similarly,  it  forces  an  expression  to  be  given  with  each  recursive  procedure 
bounding  the  number  of  times  that  procedure  can  be  nested.  These  bounds  are  re- 
quired because  all  primitive  recursive  functions  are  total.  There  is  no  halting  problem 
for  languages  which  compute  the  class  of  primitive  recursive  functions.  The  author 
suggests  that  requiring  programmers  to  think  about  the  termination  of  their  pro- 
grams at  development  time,  rather  than  at  verification  time,  forces  them  to  reason 
more  precisely  about  their  programs.  Rather  than  hampering  development,  this  may 
enhance  it  by  providing  a  framework  for  better  conceived  programs. 

Not  all  total  functions  are  primitive  recursive.  Ackermann's  function  was  men- 
tioned in  Chapter  4  as  the  classic  example  of  a  total  function  which  is  not  primitive 
recursive.  Ackermann's  function  grows  so  quickly  that  it  majorizes  every  primitive 
recursive  function.  The  restriction  that  recursive  calls  in  a  programming  language 
be  nested  is  necessary  to  guarantee  that  a  program  which  computes  Ackermann's 
function  cannot  be  written  in  the  language.  Furthermore,  given  a  particular  pro- 
gram there  is  a  bound  on  the  number  of  recursive  procedures  that  can  be  nested. 
A  recursive  call  within  a  loop  body  to  a  procedure  containing,  directly  or  indirectly, 
that  loop  would  allow  the  bound  on  the  number  of  recursive  procedures  that  can  be 
nested  to  be  an  expression  on  the  program's  inputs.  This  would  allow  a  program 
to  be  written  which  computes  Ackermann's  function.  Thus  a  primitive  recursive 
programming  language  must  be  restricted  so  that  such  a  call  cannot  be  made.  At 
first  this  restriction  appears  arbitrary.    Notice,  however,  that  it  would  be  difficult 
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to  describe  the  functionality  of  a  loop  body  which  contains  a  call  to  a  procedure 
containing  that  loop.  Furthermore,  the  computational  practicality  of  such  a  call  is 
limited.  The  computation  sequences  for  nested  recursive  routines  are  long.  Placing 
these  in  a  loop  increases  this  length  only  linearly.  A  recursive  call  within  a  loop,  to  a 
procedure  containing  that  loop,  is  much  more  complex.  For  each  iteration  of  the  loop 
the  recursive  call  is  made  and  the  loop  is  restarted,  requiring  the  recursive  call  to 
be  made  again.  This  is  how  Ackermann's  function  is  able  to  grow  so  quickly.  While 
this  restriction  is  only  necessary  if  all  programs  in  the  language  are  to  compute  prim- 
itive recursive  functions,  it  may  be  a  reasonable  restriction  for  other  programming 
languages  as  well. 

Whether  or  not  the  primitive  recursive  programming  language  is  being  used, 
adherence  to  the  programming  language  restrictions  in  this  dissertation  result  in  a 
more  understandable,  maintainable  and  verifiable  programming  language.  Primitive 
Recursive  Arithmetic  has  provided  the  guidelines  for  these  restrictions.  It  would  be 
intriguing  to  compare  the  development  of  a  primitive  recursive  programming  language 
with  the  development  of  a  language  based  on  another  class  of  functions.  It  would 
be  interesting  to  see  this  done  with  the  class  of  elementary  functions  or  the  class 
of  functions  which  run  in  polynomial  time.  Another  direction  for  future  work  is  to 
add  a  restricted  form  of  global  formal  procedure  identifiers  which  would  allow  calls  to 
have  arbitrarily  long  reference  chains.  Would  such  a  primitive  recursive  programming 
language  be  so  structured  that,  even  with  arbitrary  long  reference  chains,  it  would 
have  a  sound  and  complete  Hoare  verification  system? 


APPENDIX  A 
PRIMITIVE  RECURSIVE  FUNCTIONS 

The  definition  of  tfie  class  of  primitive  recursive  functions  used  in  this  dissertation 
is  the  closure  of  the  zero,  successor  and  projection  functions  under  the  operations  of 
composition  and  primitive  recursion.  More  formally,  the  class  of  primitive  recursive 
functions  is  the  smallest  class  of  functions  that  contain  the  basic  functions: 

g{x)  =  0,      (/(.r)  =  X  +  1,  and  g{xk)  =  x,  for  1  <  i  <  k,  k  >  1, 

and  is  closed  under  composition,  /  =  h  o  {gi, . . .  ,gm),  and  primitive  recursion, 

f{x  +  l,yn)  =  g{j^,yn,f(-^,yn))- 
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APPENDIX  B 
PRIMITIVE  RECURSIVE  ARITHMETIC 

The  symbols  of  Primitive  Recursive  Arithmetic,  or  PRA,  are  the  constants  0  and 
1,  an  infinite  list  of  variables  Xi,  X2, . . .,  the  functions  zero,  succ,  projf  for  1  <  z  <  n 
and  n  >  1,  +,  x,  /i,/2,  •  •  •  and  the  relation  <.  The  set  of  PRA  terms  is  the  closure 
of  {0.  1}  U  {.ri.  j:2, . . .}  under  the  zero  {zero),  successor  [succ],  projection  {projf'),  +, 
X-  fi^f2f--  functions.  For  PRA  terms  ri  and  T2,  rj  =  t^  and  Tj  <  T2  are  atomic 
formulas.  The  set  of  quantifier-free  formula  is  the  closure  of  atomic  formula  under 
the  NOT  (-■)  and  AND  (A)  operation.  The  set  of  PRA  formulas  is  the  closure  of  the 
set  of  quantifier-free  formula  under  the  FOR  ALL  (V)  operation. 

The  axioms  of  PRA  follow. 

1.  Basic  Axioms: 

,r  +  0  =  0  +  J-  =  .T 

X  +  y  =  y  +  X 

x  +  {y  +  z)  =  {x  +  y)  +  z 

a;  X  1  =  1  X  .r  =  ,r 

X  X  y  =  y  X  X 

X  X  (y  X  z)  =  (x  X  y)  X  z 

X  X  {y  +  z)  -  {x  X  y)  +  {x  X  z) 

0  <x 

X  <  y   — >    X  +  z  <  y  +  z 

X  <  y  A  r>0   — >   x  x  z  <  y  x  z 

zero{x)  =  0 

succ{x)  =  x  -f  1 

proJl^{xi, . .  .  ,Xn)  =  X,  for  I  <  i  <  n  and  n  >  1 

2.  PR  Axioms;  Say  Fi,  F2, ...  is  a  list  of  all  the  PR  functions. 
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If  F,{x)  =  F,(n,(f ), ....  F,„{x))  then 

/.(^)  =  /j(A.(i^),...,A„(^)) 

is  an  axiom. 

If  F,(f,0)  =  F,(f)  and  F,{x,z  +  1)  =  Fi(F,(f,  r),f,  r)  then 

/.(x,0)  =  y- (x)  A  Mx,z  +  1)  =  /,(/.(.?,  3),  f,z) 

is  an  axiom. 

3.   Induction  Axioms:  If  (^  is  a  quantifier-free  formula  then 

^(0)   A  Vx  ((^(x)  — >  ij?(5ucc(x)))   ^  Vx(^(x) 

is  an  axiom. 


APPENDIX  C 

THE  S„-ITERATION  RULE  IS  NOT  SOUND 

In  this  appendix  a  non-standard  model  is  developed  for  which  E2-induction  does 
not  hold.  It  is  shown  that  this  model  is  a  model  of  PRA  and  that  for  a,  a  non-standard 
element  of  the  model,  Acker{a,a)  is  not  in  the  model.  A  small  Cp^  program  is 
given,  and  a  Hoare  triple  is  proven  for  that  program.  This  Hoare  triple  implies  that 
a  sequence  can  be  coded  in  the  model  which  gives  the  value  of  Ackermann's  function 
Acker{a,a). 

Let  Af  he  a  non-standard  model  of  Peano  Arithmetic.  Take  a  non-standard  ele- 
ment a  of  Af.  Define  the  model  M  C.  J\f  a.s  follows. 

Mo  —  {x  :  X  <  a} 

Mk+i  =  {x  :  X  <  f{y)  for  some  PR  function  /  and  y  G  Mk} 

M=\JkMk 

Claim  59     A4  is  a  model  of  PRA. 

Proof:     Each  of  PRA's  basic  axioms  are  universal  so  for  these  axioms,  truth  in  Af 

implies  truth  in  M.   Model  A4  is  closed  under  the  class  of  PR  functions  so  the  PR 

axioms  hold  in  M.   All  that  is  left  to  show  is  that  PRA's  induction  axiom  holds  in 

Ai.  Note  that  strong  induction  implies  weak  induction  so  it  suffices  to  show  that,  for 

bounded  formulas,  strong  induction  holds  in  A4. 

For  a  bounded  formula  (f)  assume  A4  \=  <f)(0)  A  V.t(V?/  <  x  4>{y)  — >  4'{x)).   Show 

A4  1=  'ix(j){x).    Suppose,  by  way  of  contradiction,  that  A4.   ^  Vx<?f)(x).    Then  in  Af 

there  must  be  a  first  place  h  where  Af  ^  4>{b)  yet  Af  \=  "ix  <  b  (l){x).    Suppose  b 

occurs  outside  of  A4.  Then  b  >  x  for  all  x  in  the  domain  of  AA.   Since  ^x  <  b  (j){x) 
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is  a  bounded  formula,  A/"  |=  Vx  <  b  4>{x)  implies  M  \=  yx4>{x).  Suppose  b  occurs 
within  Ai.  Since  Vx  <  6  4>{x)  is  a  bounded  formula,  M  |=  Vx  <  6  4>{x).  This  implies 
M  1=  <f>{b).  Since  <^  is  a  bounded  formula  this  forces  the  contradiction  Af  [=  (t>{b).  □ 

Define  Ackermann's  function  as  it  was  defined  in  the  introduction  except  fix  the 

last  input  value  to  two.  That  is,  define  Ackermann's  function  as  follows. 

Acker  {0,m.)  =  2™ 

Acker{n  +  1,0)  =  1 

Acker(7i  +  l,77i  +  1)  =  Acker{n,  Acker {n  +  l,m)) 

Notice  that  for  m  >  2,  x  >  j/  implies  Acker{x,m)  >  Acker{y,m). 

It  will  be  shown  that  Acker{a,a)  ^  Mk  for  any  k.  Towards  this  end  define  what 
it  means  for  a  variable  to  be  captured.  An  element  x  is  captured  if  there  is  a  PR 
function  /,  increasing  on  every  variable,  where  for  some  natural  numbers  n  E  N, 
X  <  f{n,a). 

Claim  60       x  E  Mk  ^  x  is  captured. 

Proof:  Prove  the  claim  by  induction  on  k.  For  k  —  0,  the  successor  function  with 
the  single  input  a  captures  all  elements  in  Aio- 

Assume  the  elements  in  Mk  are  captured.  Let  x  G  Mk+i-  Then  there  is  a  PR 
function  /  and  an  input  vector  y  G  Mk  where  x  <  f{y).  Prove  x  is  captured  by 
induction  on  PR  function  /. 

For  /  the  zero  or  projection  function,  x  G  Mk+i  implies  x  G  Mk-  Thus  x  is 
captured.  For  /  the  successor  function,  x  is  just  one  greater  than  an  element  y  of 
Mk-  Since  y  was  captured  it  is  straightforward  to  see  that  x  can  also  be  captured. 

Say  /  is  defined  by  composition  as  /  =  g{hi, . . .  ,hm)-  Then  x  G  Mk+i  implies 
X  <  f  =  g{hi{yr), . . . ,  hmiyr))  where  yr  G  Mk-  Each  y,  is  captured  by  some  function 
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/,■  and  vector  (n,)  G  A'^.  Let  m;  G  A'^  be  a  vector  as  long  as  any  of  the  vectors  (n,) 
and  where  for  each  position  j  in  each  vector  (nj),  nij  >  {nt)j. 

Given  increasing  function  /,  defined  on  vector  (n^)^    and  a,  define  /,  on  rht  as 
follows. 

fi{mt,a)  =  fi{proJl{7nt), . . .  ,proJl{Tnt),a) 

Given  any  function  g  on  Xt  we  may  assume  g  is  increasing  on  every  variable  by 
replacing  it  with  Ey'=o  HyUo  ' " '  Tly',=o9{yt)- 

The  following  increasing  PR  function,  with  input  {7nt,a)^  captures  x. 

gihiifiirht,  a},...,  fr{mt,  a)),...,  /im(/i(m(,  a), . . . ,  fr{rht,  a))). 

Say  /  is  defined  by  primitive  recursion  as  follows. 

/(0,y,)  =  givr) 

/(-  +  l,yr)  =  h(z,yr,f{z,yr)) 

Then  x  G  Mk+i  implies  x  <  f(z,yr)  where  ~,yr  G  Mk-  Say  z  is  captured  by  some 
function  d  and  a  vector  p  E^  N ,  and  each  y,  is  captured  by  function  /,  and  vector 
(rii)  G  A'^.  Let  m^  G  A^  be  a  vector  as  long  as  any  of  the  vectors  p  and  (n,),  and  where, 
for  each  position  j  in  p  and  (??,),  77?^  <  pj,  (7?,)^.  Define  /,-  as  before.  Similarly  define 
d.  Replace  all  functions  with  increasing  functions  as  before.  The  following  increasing 
PR  function,  with  input  {nit,  a),  captures  x. 

g{mt,  a)  =  e{d{mt,  a),  m.2, . . . ,  777(,  a)  where  e  is  defined  as 

e{0,m2,...,mt,a)  =  g{fi{int,a),...,fr{mt,a)) 

e{z  +  1,/7J2,.  ■  ■,?««,«)  =  h(z,fi{mt,a),. . . ,  fr(7ri.t,a),e{z,  fi{rht,a), . . . ,  fr{rhua))). 


Claim  61       Acker{a,a)  ^  M^  for  any  k. 
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Proof:  Suppose,  by  way  of  contradiction,  that  Acker{a,a)  £  Mk  for  some  k.  Then 
Acker{a,a)  must  be  captured  by  some  increasing  PR  function  /  and  a  set  of  in- 
puts n  e  N.  Notice  that  f{n,a)  —  fn{a)  for  some  PR  function  fa-  Since  Acker- 
mann's  function  majorizes  every  PR  function  there  is  some  m  E  N  where  Vx(/s(x)  < 
Acker{m,x)).  Specifically  f^{a)  <  Acker{m,a).  This  leads  to  the  contradiction 

Acker{a,a)  <  /('t, a)  =  /^(a)  <  Acker{m,a). 

Thus  Acker{a,a)  ^  M.  O 

Let  TT  stand  for  the  following  program. 

7r:    z:=0 

loop  a 
x:=0 
loop  a 

x:=x+l 
end 

z:=z+l 
end 

Given  a  sequence  cr,  let  {a)n,m  be  the  value  of  the  sequence  at  location  7i,m. 
Note  that  such  a  sequence  can  be  coded  and  decoded  primitive  recursively.   Define 

v4((T,  n,m)  by 

(n  =  0  ->  ia)n,m  =  2'")   A   (n  >  0  A  m  =  0  -^  (<7)n,„  =  1)  A 

(n   >  0  A  ?7l   >  0   ^   {a)„^rn   =   (<^)u-l,(<T)„,m_i)- 

Define  R{a,l3)  by 

R{a,  /3)  ^  3a  \/n  <  a  Mm  <  /3  A{a,  n,  m). 

It  will  be  shown  using  the  S2-Iteration  Rule  that  it  can  be  proven  that  {T}7r{/?(a,  a)]. 
This  incorrectly  proves  that  a  sequence  can  be  coded  in  the  model  which  gives  the 
value  of  Ackermann's  function  Acker[a,a). 

Claim  62       H^^^{  T}7r{i?(a,a)}. 
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Proof: 

{T]7r{R{a,a)} 

Assignment  Axiom,  Composition  and  Consequence  Rules 

I 
{z  =  0  A  V7ni?(2,7n)}loop  a;  x  :=  0;  loop  a;  x  :=  x  +  1  end;  2  :=  2  +  1  end 

{z  =  a  AymR{z,m)} 

T_ 

T,2  —  Iteration  Rule 
loop  invariant:  z  =  u  A  yrnR{z,  m) 

{z  =  V  A  \/7nR{z,  m)  A  0  <  i'  <  a}x  :=  0;  loop  a;  x  :=  x  +  I  end;  z  :=  z  +  1 

{2  =  y  +  1  A\/7nR{z,m)} 

T 
Assignment  Axiom,  Composition  and  Consequence  Rules 

{z  =  vAx  =  OA  V???./?(2, 77^)  A  R{z  +  1,  x))loop  a;  x  :=  x  -\-  I  end 
{z  —  vAx  —  aA  ymR{z,  m)  A  R{z  +  1,  x)} 

T 

S2  —  Iteration  Rule 
loop  invariant:  z  =  v  A  x  =  u  A  ymR{z, m)  A  R{z  +  l,x) 

{z  —  vAx  =  wA  V77i/?(c,  777)  A  /?(2  +  1,  a:)  A  0  <  7/;  <  a}x  :=  x  +  1 
{z  =  V  A  X  =  w  +  I  A  ymR{z,  m)  AR{z  +  l,x)} 

T 
a  I  Consequence  Rule 

{{z  =  v  Ax  =^w  +  1  AymR{z,m)  A  R{z  +  l,x))[x  +  l/x]}x  :=  x  +  1 

{z  =  vAx  =  w+l  Ay7nR{z,m)AR{z  +  l,x)} 

Assignment  Axiom 


Implication  a  is  proven  as  follows. 

z  =  V  A  X  =  w  AVmR{z,m)  A  R{z  -\- \,x)  AQ  <  w  <  a 

=^     2  =  u  A  X  +  1  =  17)  +  1  A  WmR(z,  m)  A  R{z  +  1,  x) 

2  =  7'Ax+l  =  77;  +  lA  WmR(z,  m)  A  SoStCVti  <  2  +  1  Vm  <  x 

A{(r,  n,  m)  A  A{a,  2,  r)  A  r  =  (cr),+i_i,) 
2  =  7;Ax  +  l=t7;  +  lA  ymR{z,  m)  A  3a\fn  <  2  +  1  Vrrt  <  x  +  1 

y4(<J,  77.,m) 
^     2  =  uAx  +  l  =  77;+l  AymR{z,m)  A  R{z  +  l,x  +  1) 
=>     {z  =  V  A  X  =  w  +  \  AymR{z,in)  A  R(z  +  l,x))[x  +  1/x] 
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It  is  interesting  to  compare  this  'HpYi  P^oof  with  the  PRA4-E2-induction  proof 
that  a  sequence  exists  which  codes  the  values  of  Ackermann's  function  Acker{a,a). 

Claim  63       ^PRA+^2-induction^i^^^)- 

Proof:  The  claim  is  established  by  proving  ymR{v,m)  by  induction  on  v.  The 
formula  Vmi?(0, 777.)  holds  since  for  any  777,  (cr)o,m  =  2™.  Assume  \/TnR{v,m).  Show 
ymR{v  +  1,777)  by  induction  on  777. 

The  formula  R{v  +  1,0)  holds  since  for  any  77,  (cr)„,o  =  1.  Assume  R{v  +  l,w). 
Then  the  following  holds. 

3cr3rV77  <  7;  +  1  V?77  <  IV  +  1  {A{a,  n,  777.)  A  A{a,  v,  r)  A  r  =  {a)y+i^u,) 

The  model  contains  (cr)^+i,u,  by  the  second  assumption  and  (cr)t, ,.  by  the  first.  There- 
fore R{v  +  1,70  +  1). 

D 

The  nested  induction  in  the  above  proof  corresponds  to  the  nested  loops  in  the 
program.  In  the  above  proof  the  first  induction  formula  corresponds  to  the  invariant 
of  the  outer  program  loop.  The  second  induction  formula  is  less  complex  than  the 
invariant  of  the  inner  program  loop.  This  is  because  the  crucial  step  in  both  proofs 
requires  two  assumptions.  In  the  above  proof  the  outer  assumption  is  automatically 
available.  In  the  "Hpj^  proof  this  assumption  must  be  carried  in  the  loop  invariant. 
The  inner  loop  invariant  is  z  -  v  A  ymR{~,ni)  A  x  -  u  A  R{z  +  l,x).  The  formula 
z  =  V  A  WmR{z,m)  provides  the  first  assumption.  The  formula  x  =  u  A  R{z  +  \,x) 
provides  the  second. 
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